[MUSIC] Among IT support staff, there is often a common belief that the most technical problems are in the chair not in the computer. This is called a user picnic. The reality is, though, systems are rarely intuitive. As such, users must be trained to properly use them. There is a wealth of academic research on the subject of how, when, why people use systems. An early effort to understand why people use systems is the Technology Acceptance Model, or TAM. This model argues that technology must be easy to use and perceived as useful. With proper training and/or experience, systems can be perceived as easy to use. Alternatively, systems can be designed such that they are user-intuitive. Mobile apps might fall into this category because developers have no opportunity to train users. Over time, perceived ease of use no longer influences user behavior, largely because the longer we use something, the easier we typically find it to use. Alternatively, perceived usefulness is an important driver of user behavior intentions over the life of a system. Additionally, researchers have focused on whether users faithfully appropriate technology. Do they use it the way the developers intend? Faithful appropriation includes things like using Microsoft Word to create documents or Microsoft Excel for numbers and arithmetic operations, not vice versa. A particular interest with thinking about faithful appropriation is the assertion that how technology is used is determined by the user, rather than the features of the system. This research suggests that training is important both to create a perception that technology is easy to use as well as to help the user understand what the developer's intent was so that the technology is used appropriately. As a result, training needs to include not simply how to perform a task using a new system, but why it is important to do it that way. If we further delve into research on knowledge acquisition, we discover the foundational definition of knowledge as having three components, know-what, know-how, and know-why. Know-What refers to basic knowledge of the existence of something. I know what my smartphone is. It's a phone as well as a mini computer. Know-How involves operational knowledge. I know how to use my phone to make calls, surf the Internet and use installed applications. Know-Why digs deeper into the understanding of why things work. To claim Know-Why knowledge of my phone means I understand the electronics behind the hardware, the infrastructure that provides connectivity, and the framework within which a given application will or will not work on my phone. These components accumulate through different learning processes and have different rates of acquisition, decay, and transfer. I learn something faster, forget them sooner, and can more easily explain them to others. Further, they relate to each other in that each develops deeper understanding. For example, we can learn what something is simply by being told. However, to learn how something works we must experience it through practice. And to learn why something happens we need context. Security training falls under the broader umbrella of organizational Security Education, Training and Awareness programs, or SETA. The objective of these programs is to improve security of information assets by providing targeted knowledge, skills and guidance for organizational employees. The intended benefit of such programs includes improving employee behavior, communicating a structure of reporting violations and holding employees accountable. It is important to note SETA programs focused on unintended consequences of bad behavior i.e, accidental security breaches. These are user mistakes rather than hacker activity. SETA programs include three components. Awareness, training and education. How are these different? Awareness focuses on what security is. Training focuses on how users should react and respond when a threat is encountered. And education focuses on why the organization reacts the way it does. Lets circle back. If we want users to use systems in the way intended by developers, i.e, faithful adoption, then, they must learn both what to do and why. However, Know-How and Know-Why do not exist without Know-What. All of this suggests two issues. Number one, SETA programs have three discrete learning outcomes. Know-what, know-how and know-why. And number two, each of these must be approached with clear understanding of how these knowledge components operate and interrelate. If you think about the annual employee training efforts that are simply narrated PowerPoint, is this awareness, training, or education? Fundamentally, if the user is not interacting with any hands-on applications, it is really more of an awareness effort. It is only creating know-what level knowledge. What about training that includes hand-on exposure? Say, training in a new application environment with some security focus. This is know-how and according to our definition, it is training. What about an annual even that includes security simulations or something called Table-top Exercises? This provide context and get closer to Know-Why level knowledge. [MUSIC]
