Selecting an eLearning Solution for a Software Security Environment

While organizations are always looking to improve the skills and effectiveness of their employees, high-performing organizations look to build a culture of learning while also “powering” their organizations with formalized training programs.

Improvements in delivery technology have changed the way people learn and consume training. Today, eLearning is adopted by organizations that are improving employee skills by offering training in an effective method that delivers scalability, consistency, repeatability, and easy access.

In 2017, Will Thalheimer, a leading member of the learning community, conducted an analysis of “learning research” to answer a question asked by many organizations, “Does eLearning actually work?” Thalheimer condensed five meta-analyses that compared eLearning and learning technologies to instructor-led classroom training. From his meta-analyses, he determined that eLearning delivered better results than traditional classroom learning.

Organizations considering eLearning solutions have a wide variety of solutions to choose from. It is imperative that the selected solution aligns with the organization to maximize its benefits.

Benefits of eLearning

1. Content is available anytime and anywhere

Improvements in Learning Management Systems and mobile-friendly courseware allow users to access course content as their schedule permits or dive into particular subjects exactly when that knowledge is required.

2. Courses can be taken repeatedly

With eLearning courses, learners can easily review content whenever required. This is especially beneficial when preparing to perform unfamiliar tasks.

3. Access to consistently updated content

eLearning enables learners to access consistently updated content. It is important to choose a partner that has the capacity to update content as new vulnerabilities are discovered and provide new courses on cutting-edge topics as the needs of the industry shift.

4. Varied Approaches are available

Different vendors have different approaches to eLearning:

  • Activities based exercises
  • Curriculum-based training
  • Just-in-Time Training

There are pros and cons to each approach, and organizations should consider the different approaches available in relation to their environment, as each has its benefits. An important factor is, “When and where do you want to provide this training?” Do you want to provide training after a vulnerability has been discovered? When code is being written? How about as the application is being designed, architected, and implemented?

Activities-based exercises – “Gamification” of training exercises can be fun, engaging, and motivating for some students – particularly for advanced students who already have a good grasp on the subject and are looking to enhance their skills. However, there are two potential shortcomings of gamified exercises which should be considered:

  1. Games may not be suitable for building a “foundation” of knowledge and may be better at “testing” a learner’s knowledge.
  2. Games test knowledge in a way that can be fun for advanced students but can be frustrating for some beginning students. Some organizations believe that if developers already have advanced security knowledge, this is a great way to further accelerate learning; however, if developers are just starting out, curriculum-based training can be more effective.

Curriculum-based eLearning – Subjects are treated like university courses (e.g., explain the attack surface of a programming language in an organized fashion) and allow learners to review content to focus on specific areas and skip topics that they already understand. Testing (or quizzes) help measure the effectiveness of curriculum-based eLearning. Some eLearning courseware allows students to “quiz first,” allowing them to demonstrate their mastery of certain subjects and determine which subjects require further study. This approach creates a tailored learning program and saves time.

Just-in-Time Training: Learners consume content exactly at the time that they need it. “Immediate reinforcement of a newly learned skill helps the learner move the acquired knowledge from short-term memory to long-term memory. Many people learn by doing rather than just by hearing. Therefore, immediate use of the learned material should be considered part of the learning process and scheduled as such.”2. In software security, Just-in-Time Training can be delivered along with vulnerability scan results to help students who are remediating vulnerabilities, or it can be delivered through issue-tracking systems (like Jira) as part of a “Shift Left” strategy and limit the introduction of software vulnerabilities in the first place.

5. Consistency

eLearning ensures that every learner receives the same updated content in the same way and that each learner benefits from the content equally. Organizations want to ensure that developers are addressing vulnerabilities in a consistent fashion with respect to process, code, and testing, which all lead to a uniform application of standards, including compliance standards.

6. Reduced costs

eLearning is more cost-effective and scalable than instructor-led training. Savings come from a reduction in training time (with tailored learning plans and role-based training), travel expenses, course materials, and accommodation, as well as the time learners spend taking the course.

Your developers are your first line of defense and your best defense against application breaches. Software security training effectively improves application security posture and forms the basis of most “Shift Left” strategies.

eLearning delivers training that is high-impact, low-cost, scalable, repeatable, tailored, and consistent.

All the aforementioned information helps to play a critical role in ensuring organizations select an eLearning provider that satisfies their needs. However, selection does not always require one solution to be selected over the other. Organizations often implement combinations of learning methods, including activities-based, curriculum-based, and Just-In-Time training. While the technical solution may be similar, the way the eLearning solution is implemented will change based on the business needs, and the effectiveness of the training programs will vary as a result. There is no one-size-fits-all approach for eLearning, and it is important that an organization selects the solution that best meets its needs.