Overview of Instructional Unit
The following instructional unit is about workplace security awareness. This unit is the first of six units for mandated security awareness training under the United States Health Insurance Portability and Accountability Act Section 164.530. The curriculum for the course was selected to meet standards set forth by the National Institute of Standards and Technology under SP800-50, Building an Information Technology Security Awareness and Training Program (Wilson and Hash, 2003). By attending this training and completing assessments, students will be prepared to properly address security weaknesses, breaches, and threats within the workplace. This unit will be developed using the systematic design model outlined by Dick and Carey.
Goal of Instruction
The goal of the instruction is to reach mandated HIPAA compliance outlining the requirement of all employees with access to Protected Health Information to attend and successfully pass a security awareness training. Students will reach this goal by demonstrating competency of NIST SP800-50 standards for security awareness and response through obtaining a minimum score of 75% on a summative evaluation presented after each unit of instruction.
Target Population Overview
This unit of instruction is being developed for employees of an organization required to meet standards set forth under the Health Insurance Portability and Accountability Act. These employees will have reached a minimum level of learning comparable to a high school graduate in a traditional high school environment and will have the basic computer knowledge to consist of Operating System navigation, Word Processing Suite usage, and Internet usage. Even though the instruction is being developed for a specific company, it would readily be used by any company needing security awareness training with minor modifications assuming the students meet the minimum learning requirements.
Materials Needed For Instructional Unit
- EC-Council, 2009. Cyber Safety (EC-Council Press Series: Security 5) Cengage Learning.
- Custom designed unit materials in Moodle Learning Management System.
- Computer with network access.
Task Analysis
Task 1.0: Develop a baseline understanding of common security risks
- 1.1: Determine the key elements of security including terminology and specific security needs.
- 1.2: Discuss key elements of information security
- 1.3: Describe the multiple layers of information and computer security.
- 1.4: Explain the benefits of computer security awareness.
- 1.5: Provide a basic computer security checklist.
- Performance Objective 1: Given a multiple-choice test, students will properly answer questions relating to security breaches and security terminology with 75% accuracy.
Task 2.0: Learn about company security policies and procedures
- 2.1: Review and sign company security policies and procedures.
- 2.2: Explain what denotes an incident.
- 2.3: Review of incident reporting procedures.
- Performance Objective 2: Given a scenario, students will be able to properly report an incident and file an incident report with 75% accuracy.
Task 3.0: Develop an understanding of social engineering and how to prevent it
- 3.1: Explain social engineering with several examples.
- 3.2: Describe human-based social engineering techniques.
- 3.3 Describe computer-based social engineering techniques.
- Performance Objective 3: Given multiple scenarios, students can identify social engineering techniques and proper mitigation strategies with 75% accuracy.
Task 4.0: Understand proper usage of data encryption
- 4.1: Explain the concepts of data encryption.
- 4.2: Describe the use of digital signatures to secure communications.
- 4.3: Describe how digital signatures work.
- 4.4: Discuss the different types of data encryption.
- Performance Objective 4: Given a multiple-choice test, students will properly answer questions relating to data encryption with 75% accuracy.
Task 5.0: Develop an understanding of Internet security and proper mitigation techniques
- 5.1: Discuss Internet security threats.
- 5.2: Explain various Instant Messaging (IM) and search engine security weaknesses.
- 5.3: Describe how to test browsers for security.
- Performance Objective 5: Given multiple scenarios, students can identity secure Internet usage strategies, and the proper Internet usage techniques to use with 75% accuracy.
Task 6.0: Understand Information Security and legal compliance
- 6.1: Introduce Health Insurance Portability and Accountability Act (HIPPA)
- 6.2: Provide a checklist for HIPAA compliance
- Performance Objective 6: Given multiple scenarios, students can identity complaint and non-compliant scenarios with 75% accuracy.
- Performance Objective 7: Give a cumulative assessment combining multiple-choice, true/false, and scenario-based questions students will answer questions with a 75% accuracy.
Performance Objectives
Using the concepts of security awareness obtained through the course, obtain a minimum score of 75% on a comprehensive standard-based cumulative assessment. Performance assessments were created for each step of the instructional design and are outlined during the Task Analysis section. The types of assessments included within the lesson plans include:
- Multiple Choice: In this assessment method, the candidate will be given a question, and four (4) choices. Some questions may have multiple answers. The question is marked as correct if the candidate chooses the most correct of the four options as the answer to the question. This assessment method is automatically scored.
- True/False: In this assessment method, the candidate is given a question that is either true or false. The question is marked as correct if the candidate chooses the correct answer. This assessment method is automatically scored.
- Scenario/Simulation-Based: In this assessment method, the candidate is provided a group of scenario-based question that was determined based on previous incident reports within the organization. The candidate will either complete the simulation on a virtualized desktop or answer a question using a true/false or multiple choice answer as to what should be done in the specific instance described. This assessment method is automatically scored.
National Institute of Standards and Technology SP800-50 Standards
Before going any further, one must say a couple of words about the standards used in the assessment. According to the existing rules, the National Institute of Standards and Technology SP800-50 Standards presuppose that the students should meet the following requirements:
- The ability to acquire the necessary information and, therefore, educate themselves through building awareness and proceeding with training the necessary skills;
- The ability to get their priorities in line to set a specific goal and strive to achieve it in the fastest and the most efficient way possible;
- The ability to evaluate their assets carefully, together with the outside factors, and to set the standards for their performance for the students to strive for;
- The ability to draw a plan of further actions and pick the most appropriate strategy judging by the specifics of the case in question;
- The ability to consider the critique of their actions objectively and act reasonably to solve a specific problem regarding the organizational, industrial, or financial issues;
- The ability to analyze feedback and use it as a guide for further improvement of their performance, as well as being flexible to meet the emerging demands (National Institute of Standards and Technology, 2003).
Lesson Plans
Lesson 1: Foundations of Security
Overview
Students are required by a company security policy to attend security awareness training. This first module will present students with the foundations of the security awareness course, including terminology, needs, and proper usage. This course is taught through a learning management system, allowing students to progress at their own pace.
Resources Used
- EC-Council, 2009. Cyber Safety (EC-Council Press Series: Security 5) Cengage Learning.
- Custom designed unit materials in Moodle LMS.
- Computer with network access
Lesson Objectives: Today students will learn what the layers of security consist of, how to approach security, apply security, and explain the benefits of computer security.
Time: This lesson averages 1.5 hours long.
Standards: NIST SP800-50
Activities
- Assign students into groups of two using the learning management system (LMS). On the opening screen, have the words Confidentiality, Integrity, Availability.
- Ask students what they think the three words on the screen are, have them record their answers in their notes.
- Provide students the definitions. Invite feedback on the student forums on what they think of the definitions and how they interpret them.
- Provide video presentation on Foundations of Security.
- Have students review the presentation at their own pace, and provide feedback in the student forums as to interpretations.
- Have students write a brief overview of the student forums of what they can do to enhance security.
- Provide quiz on materials presented in the Foundations of Security module.
- Students can progress to the final assessment if the quiz is at least 80% correct.
- Failure to achieve a passing quiz score will result in the student being required to retake the course.
- Students can progress to the final assessment if the quiz is at least 80% correct.
Assessment
Provide the students with a multiple-choice test covering the topics reviewed in the course. If a student successfully passes the test with a score of 75% or higher, provide the link to lesson 2.
Grading
Activities 1 and 2 will be graded on a scale from 1 to 5 (1 being the lowest grade, 5 being the highest). As for the quiz, each correct answer counts as 1 point:
Quiz grading
Lesson 2: Security Policies and Procedures
Overview
In this second lesson, students will learn company Security Policies and proper reporting procedures for security breaches. This course is taught through a learning management system, allowing students to progress at their own pace.
Resources Used
- EC-Council, 2009. Cyber Safety (EC-Council Press Series: Security 5) Cengage Learning.
- Custom designed unit materials in Moodle LMS.
- Computer with network access
Lesson Objectives: Today students will review and sign the company security policy, learn what denotes an incident, and perform simulated reporting activities.
Time: This lesson averages 1 hour long.
Standards: NIST SP800-50
Activities
- Assign students into groups of two using the learning management system (LMS). On the opening screen, have the question “Why Do We Need Security Regulations?”
- Ask students what they think the reason is, and have them record their answers in their notes.
- Provide students the reasoning behind the security regulations. Invite feedback on the student forums on what they think of the definitions and how they interpret them.
- Provide video demonstration on what an incident is and how to report it.
- Have students review the presentation at their own pace, and provide feedback in the student forums as to interpretations.
- Have students write a brief overview of the student forums of how they can enforce security policies.
- Have students review and sign the company security policy.
- Provide quiz on materials presented in the Security Policies and Procedures module.
- Students can progress to the final assessment if the quiz is at least 80% correct.
- Failure to achieve a passing quiz score will result in the student being required to retake the course.
Assessment
Provide the students with a scenario-based test covering the topics reviewed in the course. If the student successfully passes the test with a score of 75% or higher, provide the link to lesson 3.
Grading
Since the standards are considerably more stringent in the given assessment, it will be necessary to make the grading rubrics for the quiz shorter and the margin for passing the quiz larger. Thus, it will be possible to detect if some of the students possibly have any issues with the previous course and if there are any gaps in the students’ knowledge acquired in the course of studying:
Test grading
As for assignments number one and two, the students’ performance will be graded according to the level of their engagement and participation on the scale from 1 to 5 (from the least active to the most active). To evaluate the students’ progress, the two results will be considered separately.
Also, to evaluate the students’ progress in the most efficient way, a more detailed evaluation standard should be provided. It should also be noted that, apart from dealing with the quiz, the students will have to consider a real-life scenario. Therefore, it will be reasonable to adopt the following assessment standard:
Lesson 3: Social Engineering
Overview
The biggest weakness in the network is the human element. This course will review methods of social engineering, and how threats can be alleviated. This course is taught through a learning management system, allowing students to progress at their own pace.
Resources Used
- EC-Council, 2009. Cyber Safety (EC-Council Press Series: Security 5) Cengage Learning.
- Custom designed unit materials in Moodle LMS.
- Computer with network access
Lesson Objectives: Today students will learn what social engineering means and how to prevent it.
Time: This lesson averages 1.5 hours long.
Standards: NIST SP800-50
Activities
- Assign students into groups of two using the learning management system (LMS). On the opening screen, have the words Social Engineering.
- Ask students what they think the words on the screen mean, have them record their answers in their notes.
- Provide students the definitions. Invite feedback on the student forums on what they think of the definitions and how they interpret them.
- Provide video presentation on Social Engineering.
- Have students review the presentation at their own pace, and provide feedback in the student forums as to interpretations.
- Have students write a brief overview of the student forums of what they can do to prevent social engineering.
- Provide quiz on materials presented in Social Engineering.
- Students can progress to the final assessment if the quiz is at least 80% correct.
- Failure to achieve a passing quiz score will result in the student being required to retake the course.
Assessment
Provide the students with a scenario-based simulation test covering the topics reviewed in the course. If the student successfully passes the test with a score of 75% or higher, provide the link to lesson 4.
Grading
In the given class, the evaluation of the students’ performance in their assessment, as well as the above-mentioned quiz, are going to be evaluated by the rubrics for quiz and assessment specified above. To evaluate the students’ progress with the help of a quiz, the aforementioned eight-fold system is going to be used, while for the test, a less complex five-fold structure provided above is going to be utilized. It should also be mentioned that the same grading rubrics will be provided for the evaluation of students’ performance in Activity 1 and Activity 2. Since the given assignments presuppose a group activity, it will be necessary that each of the students should be given one point for an answer. Thus, the minimum score that a student can get in the course of the assessment is 4, one point per answer in each assignment.
Lesson 4: Data Encryption
Overview
At times, sensitive information needs to be sent via electronic means. When performing this, encryption is a requirement. In this course, you will learn when and why to use encryption. This course is taught through a learning management system, allowing students to progress at their own pace.
Resources Used
- EC-Council, 2009. Cyber Safety (EC-Council Press Series: Security 5) Cengage Learning.
- Custom designed unit materials in Moodle LMS.
- Computer with network access
Lesson Objectives: Today students will learn what encryption is, when to use encryption and how to properly apply it.
Time: This lesson averages 1.5 hours long.
Standards: NIST SP800-50
Activities
- Assign students into groups of two using the learning management system (LMS). On the opening screen, have the word Encryption.
- Ask students what they think the word on the board is when it should be used, and have them record their answers in their notes.
- Provide students the definition and usage scenarios. Invite feedback on the student forums on what they think of the definition and how they interpret it.
- Provide video presentation on Encryption.
- Have students review the presentation at their own pace, and provide feedback in the student forums as to interpretations.
- Have students write a brief overview of the student forums when they should use encryption.
- Provide quiz on materials presented in the Data Encryption module.
- Students can progress to the final assessment if the quiz is at least 80% correct.
- Failure to achieve a passing quiz score will result in the student being required to retake the course.
Assessment
Provide the students with a multiple-choice test covering the topics reviewed in the course. If the student successfully passes the test with a score of 75% or higher, provide the link to lesson 5.
Grading
For the given class, the same quiz and test assessment as the one offered for the first and the second classes are going to be used.
Lesson 5: Internet Security
Overview
The majority of corporate work is now completed using the Internet. Due to this, it is even more important that secure practices be practiced when using Internet-connected machines. This course is taught through a learning management system, allowing students to progress at their own pace.
Resources Used
- EC-Council, 2009. Cyber Safety (EC-Council Press Series: Security 5) Cengage Learning.
- Custom designed unit materials in Moodle LMS.
- Computer with network access
Lesson Objectives: Today students will learn proper security practices for Internet-connected machines including terminology, threats, and protection.
Time: This lesson averages 1.5 hours long.
Standards: NIST SP800-50
Activities
- Assign students into groups of two using the learning management system (LMS). On the opening screen, have the words Internet Security.
- Ask students to describe Internet Security, and have them record their answers in their notes.
- Provide students the definition. Invite feedback on the student forums on what they think of the definitions and how they interpret them.
- Provide video presentation on Internet Security.
- Have students review the presentation at their own pace, and provide feedback in the student forums as to interpretations.
- Have students write a brief overview of the student forums of what they can do to protect themselves online.
- Provide quiz on materials presented in the Internet Security module.
- Students can progress to the final assessment if the quiz is at least 80% correct.
- Failure to achieve a passing quiz score will result in the student being required to retake the course.
Assessment
Provide the students with a simulation-based test covering the topics reviewed in the course. If a student successfully passes the test with a score of 75% or higher, provide the link to lesson 6.
Grading
For the given class, the same quiz and test assessment as the one offered for the first and the second classes are going to be used.
Lesson 6: Legal Compliance
Overview
In this industry, federal compliance is required. This course is designed to explain the how and why of these compliance factors, and what compliance means to you. This course is taught through a learning management system, allowing students to progress at their own pace.
Resources Used
- EC-Council, 2009. Cyber Safety (EC-Council Press Series: Security 5) Cengage Learning.
- Custom designed unit materials in Moodle LMS.
- Computer with network access
Lesson Objectives: Today students will learn what compliance means to them and the company, and what they can do to make sure that compliance is upheld.
Time: This lesson averages 1.5 hours long.
Standards: NIST SP800-50
Activities
- Assign students into groups of two using the learning management system (LMS). On the opening screen, have the question “What Does Compliance Mean To Me?”
- Ask students what they think the question means, have them record their answer in their notes.
- Provide students an overview of how compliance directly affects them. Invite feedback on the student forums on what they think of the definitions and how they interpret them.
- Provide video presentation on Legal Compliance.
- Have students review the presentation at their own pace, and provide feedback in the student forums as to interpretations.
- Have students write a brief overview of the student forums on how to uphold compliance.
- Provide quiz on materials presented in the Legal Compliance module.
- Students can progress to the final assessment if the quiz is at least 80% correct.
- Failure to achieve a passing quiz score will result in the student being required to retake the course.
Assessment
Provide the students with a scenario-based true/false test covering the topics reviewed in the course with a required passing score of 75%. If the student successfully passes the test, provide the link to the final, cumulative exam.
Grading
For the given class, the same quiz and test assessment as the one offered for the first and the second classes are going to be used.
Final Assessment
Provide the students with a cumulative exam covering all 6 competency topics. Passing this final assessment with a score of at least 75% will complete the course and notify the human resources department of completion.
Grading
The students are going to be grade by the quiz grading rubrics specified above.
Appendix A
Lesson 1 Assessment
- Your lesson outlines two major types of connections for incoming mail servers. They are __________ and _____________.
- READ MAIL and SNDMSG
- CPYNET and ARPANET
- RD and BARNARD
- POP and IMAP
- None of the above
- If you were to send an email message to a coworker, but want your boss to know about the message as well without your coworker knowing you told your boss, what is the best way to accomplish this task?
- Put both your coworker’s and your boss’s email address in the To field.
- Put your coworker’s email address in the Cc field and your boss’s email in the To field.
- Put your coworker’s email address in the To field and your boss’s email in the Bcc field.
- Put both your coworker’s and your boss’s email address in the Bcc field.
- None of the above.
- Once you have established an email account you should be able to:
- Send e-mail messages
- Receive and send file attachments
- Store addresses in an address book
- File email messages into folders
- All of the above
- The text points out that word processing skills can be used when composing an email message. What feature is only offered by some email clients?
- Copy
- Spell check
- Paste
- Delete
- Which of the following statements about email is false?
- Misunderstandings can occur from the wording
- It is difficult to make formal decisions
- It is not easy to reach a consensus
- People will always reply to an email message
- Detailed information can be easily communicated.
- ______ are designed to replicate themselves across networks to other computers.
- Payloads
- Spam
- Worms
- Keyboard loggers
- None of the above
- Which is not a method that worms and viruses are disguised?
- Screen savers
- Games
- Greeting cards
- Text files
- Executable files
- What is the name for a program or code that reproduces by being copied or initiating its copying to another program, computer boot sector, or document?
- Spyware
- Virus
- Firewall
- Norton
- You receive an email that claims that if you forward the email to 15 of your friends you will get lucky otherwise you will have bad luck for the next few months. What will you do?
- You will forward the email
- Ignore and just delete the email
- File an incident report
- You have a Macintosh computer so you do not have to worry about viruses.
- True
- False
- Phishing and Pharming are forms of social engineering.
- True
- False
- What is “phishing?”
- Fake e-mails and fraudulent websites designed to fool recipients into revealing personal data
- A type of computer virus
- An example of a strong password
- None of the above
- According to the Computer Security Institute, most information security breaches occur due to what?
- External Hackers
- Bad Programming
- Internal Employees
- Bad Firewall Settings
- You hear about a new screensaver that you can download from the Internet to put on your PC at work. The screensaver looks interesting and you would like to try it. What should you do?
- Don’t download the screen saver. This action is not allowed.
- Download the screen saver and scan it for viruses before installing it.
- Search the Internet for reports describing this screen saver.
- A program in which malicious code is contained inside apparently harmless applications or data is referred to as what?
- War dialer
- Spam trap
- Trojan horse
Instructional Unit
Instructional Problem Summary
As part of a HIPAA compliance requirement, all employees are required to attend security awareness training upon hire, and at least annually thereafter. While this training is implemented by the organization, the current method of presentation is using multiple days of lecture-based training. The lecture-based training comprises of elements that result in reduced retention, being lack of interaction, limited breaks, inadequate reinforcement strategies, and expressed boredom by the attendees. The expressed boredom shows a distinct inefficiency in the existing program.
The attendees of the training are employees of the organization with an age range of 18 – 50 years and educational background ranging from high school diploma to graduate degree. Attendee job roles range from the receptionist to human resources director with a gender mix of roughly 70% female, 30% male.
The learners are unable to properly retain the instruction due to boredom based on the presentation strategy. While they will retain some of the basic concepts outlined, as the presentation progresses the level of retention has been shown to drop drastically. This lack of retention results in increased risk to the organization as employees is making preventable, security-related mistakes. Specific areas of weakness are related to safe Internet usage and social engineering prevention.
Based on the inabilities of the learners to retain what they are taught, there is a need to adopt a learning strategy that suits the needs of retaining what they learn. This may be through adopting an instructional design and learning approach characterized by a modular, computerized learning system. It may also include the use of charts, analogies, examples, and other interesting things that can stimulate their memories (Fang, Lee & Koh, 2005). This learning approach will reduce the need for lectures as well as reduce the boredom that is characterized by the existing learning model.
A proper learning outcome will be ensured when the employees can remember what they have been taught and apply it within their daily operations in the organization. Additionally, the employees should be able to participate in the learning experience at their own pace. Therefore, there is a need to develop an instructional model that provides the courseware in a method to have a positive impact on the employees allowing them to progress at their own pace.
Determination of Learning Objectives
The instructional process was determined by reviewing an outline provided by the National Institute of Standards and Technology under SP800-50, Building an Information Technology Security Awareness and Training Program (Wilson and Hash, 2003). Further instructional processes were determined by reviewing existing training materials, meeting with the corporate security team, and reviewing security breach incidents. By determining the weaknesses currently within the organization, it allows the instructional unit to be designed in a way to emphasize learning in employee weak areas.
Learner Analysis
Prerequisite entry for security awareness training should be based on the job function of the employee. Employees must have a specific, variable skill-set to obtain the job they are hired for, and as such would have the skills required for attending training on securely performing the duties they were hired to perform. Across the majority of the job roles that would be affected by the need for security awareness training, the minimum required skills are at least a high school diploma, operational knowledge of a Microsoft Windows-based Operating System including the ability to navigate using mouse and keyboard, working knowledge of the Microsoft Office suite to include Word, Excel, and PowerPoint, and the ability to use common Internet browsers and electronic mail clients to send, receive and locate data.
Following the requisite entry requirements, the competence skill model outlined by Gallagher and Kaiser (2010), would be the best determining factor for who should attend security awareness training. Essentially, if your job function involves computers, you have the base computer competence required to learn effective methods of protection.
The demographic information of this learner is composed of entry-level to mid-level employees with ages ranging from 18 – 50 years and educational background ranging from high school diploma to graduate degree. Attendee job roles range from the receptionist to human resources director with a gender mix of roughly 70% female, 30% male. Ethnicity is a diverse mix of Caucasian, African American, and Hispanic. The job roles from the specified demographic range from janitorial staff to human resources director as HIPAA regulation mandate that all employees be provided security awareness training. The Security Awareness and Training standard mandates that all covered entities must apply the training to all members of the workforce, including management (Wu, 2007).
Task Analysis
The instructional process was determined by reviewing an outline provided by the National Institute of Standards and Technology under SP800-50, Building an Information Technology Security Awareness and Training Program (Wilson and Hash, 2003). Further instructional processes were determined by reviewing existing training materials, meeting with the corporate security team, and reviewing security breach incidents. By determining the weaknesses currently within the organization, it allows the instructional unit to be designed in a way to emphasize learning in employee weak areas.
Instructional Goal
The instructional goal for the Security Awareness module is “Employees will be trained in a method to properly apply security best practices and demonstrate competency by achieving a score of at least 75% in a battery of exams as an effort to protect information as outlined by federal mandates.”
Instructional Solution
Based on the information gathered during the task analysis phase, a module of instruction in information Security Awareness was developed. The module consists of six instructional units that meet or exceed the federal requirement for similar courses. The units of instruction were developed to be presented in a learning management system (LMS), in this case, Moodle. Each unit of instruction was developed to be modular and is divided into lesson units based on the content covered in the unit. The first unit of instruction was developed using a rapid prototyping model to meet time requirements.
Instructional Unit
The units of instruction for the module were designed using a hybrid model of both Dick and Carey’s Systematic Instructional Design process as well as portions of Wiggins’s Backwards Design model. Due to the time constraint of the need for the unit, rapid prototyping was employed in the design process. After reviewing multiple textbooks that could be used in the training, the developer chose to use Cyber Safety (EC-Council, 2009). Although this is considered as a textbook specifically for an entry-level certification, the learning provided within the textbook met or exceeded all mandated federal requirements for knowledge content.
Employing the determined task analysis, the performance objectives were developed. The units of instruction were developed using slight variations of Constructivism and Cognitivism. The first step in the design process was to determine the type of learning. By using Gange’s Conditions of Learning, it was determined that the majority of the units within the module fell under the Intellectual Skills domain. Following this step, the units of instruction were divided into smaller chunks, or micro-modules to avoid candidate information overload and enhance the candidate attention span. Following this, elements were created to assist in the reinforcement of the candidate’s progress through the remainder of the module.
Lesson plans were then established for each unit in the module of instruction which was followed by the development of the instructional materials. The format of the lesson plan follows Gagne’s Nine Events of Instruction and was designed specifically to provide self-paced learning and a modular learning path.
The instructional materials, except for the companion manual were custom developed for use within a learning management system. Elements that were included were illustrations of the text material, videos with subtitles, presentations with audio, online exercises, and discussion boards.
During the development process of the units, numerous instructional strategies were utilized. Units were divided into multiple micro-modules to keep their length short and provide a baseline knowledge that could be built upon. Speaking of the instructional strategies in a more detailed way, one must mention that in the course of the lesson plan development, Dick and Carey’s Instructional Design model and Wiggins Backward Design were utilized. The significance of the former model is defined by its help in building the experience of the learners. Offering a model of evolving from a novice to an expert, Dick and Carey’s Instructional Design was used to structure the lesson from the introduction of the new material to the successful application of the latter in the final test. By introducing the foundations of security training during the first lesson, the teacher will be able to identify the instructional goals following Dick and Carey’s model. As a result, the teacher will analyze the learners and contexts in which the studying material is going to be represented and, therefore, help the students learn to conduct an instructional analysis. When designing the tasks described above and putting them into practice, one must make sure that the given tasks should be based on the principle of consistent repetition.
Thus, putting the principles of cognitive constructivism into practice, the teacher will make sure that the students should acquire the necessary skills. To achieve the desired effect, the teacher should make sure that each of the tasks presupposes that the students should train the same skills, yet have the complexity of the tasks increased gradually. Thus, while in Lesson one, the students should only be graded on their knowledge of the basic principles of security, at the end of Lesson Two, they should be able to not only recall the basic security guidelines but also use these guidelines to solve the suggested problems. For example, in Lesson One final test, one of the tasks demands that the students should identify two major types of connections. Therefore, the scenario-based test that comes at the end of the second lesson should demand that the students should use their skills of connection type identification. Thus, Dick and Carey’s Model with its focus on the repetition of a specific pattern until a specific skill has been acquired will be implemented. Similarly, Wiggins Backward Design is going to be utilized in the process of teaching. The application of Wiggins Backward Design can be traced in the way the lessons are structured. The desired outcomes of the lesson must be specified before the lesson starts; thus, the teacher is capable of making sure that the lesson is being conducted appropriately.
Moreover, the teacher can make corrections to the course of the lesson and stream it desirably. To convey the significance of the Wiggins Model application, one should consider the following scenario, Supposing, in the course of lesson 3, the discussion of the video might trigger a change in the lesson topic; that is, the students can switch to one of the issues mentioned in the video briefly instead of focusing in the problems in question. Supposing, the students hear the threat of hacking mentioned in the video and get carried out by commenting on the possibilities of hacking, therefore, switching to a different problem. In the given case, the teacher should check the notes on the anticipated outcomes of the lesson.
Making certain that the understanding of the concept of hacking and protection from hacking is not included in the desired outcomes of the lesson, the teacher should give students a prompt that will help them stream their discussion in the proper direction. Finally, the quiz that the students took at the end of the given course can be considered the process of conducting the summative evaluation of the skills and knowledge, which the students acquired in the process of studying. Thus, the two models that have been mentioned above can be successfully employed in the course of the lessons. As for the Wiggins Backward Design, it served as a starting point for developing the lesson. Since the specified model presupposed that the desired outcomes should be considered firsthand, it helped define how the goal of the lesson, i.e., teaching the students to use the newly acquired knowledge, could be reached.
Each unit also includes an element of learning by analogy, through scenario-based examples. All units were designed with an element of self-reflection to help the students evaluate their progress. Since the overall units of instruction are being presented in a learning management system, each task is designed so that it must be completed before the next unit becomes available. Students can return to any previous learning unit at any time for a refresher overview of a particular topic.
Each unit contains at least a single element of formative evaluation with a formal formative evaluation at the end of each lesson. An example of a formal formative evaluation can be found in Appendix A.
Based upon the multiple learning styles, and the self-paced learning method with a student discussion board for questions, the design should address the needs of all members of the organization, including candidates that would fall under a special population working within the organization. The special populations within the organization would specifically be employees that do not explicitly require the use of computers within their daily routines. These candidates would all under custodial and maintenance workers, who under normal circumstances would not be required to attend the full awareness training, merely a subset of the training related to their job duties. As such, the modular design of the instructional unit allows for the candidates to reach the compliance factors required without necessitating attendance of the entire training.
Evaluation of Instructional Unit
After being checked for accuracy by the Information security team, feedback of each module was received directly from the learners through the learning management system student portal. This immediate feedback method permits a rapid collection of student issues with understanding, allowing for additional learning to be added in areas of weakness. Additionally, through using the learning management system, aggregate test scores can be obtained which will show questions consistently wrong, or wrong over a certain threshold. This will allow the instructional designer to review the specific questions and see if additional learning is needed in that specific subject, or if the question itself is vague and needs to be revised.
According to the feedback most of the students have understood the basics of the NIST SP800-50 standards for security awareness and can apply the acquired knowledge in a very efficient manner. However, the results of the test also show that the students have little understanding of why the NIST SP800-50 standards for security awareness should be followed; in other words, the students do not seem to comprehend the significance of the studied material. For example, the following feedback shows that the students learn the rules by heart without trying to understand their meaning: in the task where they needed to sum up the essence of learning, 80% of the students answered, “Learning is a continuum; it starts with awareness, builds to training, and evolves into education” (National Institute of Standards and Technology, 2013, 7), which is the exact quote from the National Institute of Standards and Technology guide. Instead of paraphrasing the idea, the students preferred to learn it by heart, which shows the lack of enthusiasm in comprehending the rules. The given attitude can be changed with the help of more class activities and more examples of real-life application of the rules in question.
There was also minor revision initially to the learning videos due to technology changes since the design process started. As such, it was decided to make the videos more presentation based on embedded videos to facilitate rapid change in the event of new requirements or changes to technology. Rather than being a straight video now, it is a presentation template with embedded videos that can be rapidly changed.
References
EC-Council, 2009. Cyber Safety (EC-Council Press Series: Security 5) Cengage Learning.
Fang, X., Lee, S. & Koh, S. (2005). The transition of knowledge/skills required for entry-level IS professionals: An exploratory study based on recruiters’ perception. Journal of Computer Information Systems. 46 (1), 58-70.
Gallagher, K. & Kaiser, K. M. (2010). The requisite variety of skills for IT professionals. Communications of the ACM, 53 (8), 144-148.
National Institute of Standards and Technology (2003). National Institute of Standards and Technology SP800-50 standards. Web.
Wilson, M., & Hash, J. (2003). Building an Information Technology Security Awareness and Training Program. Web.
Wu, S. (2007). A guide to HIPAA security and the law. (pp. 44-46). American Bar Association.