Hey there! I've been lucky enough to either attend or facilitate a number of wonderful sessions at the Internet Freedom Festival about security tools, journalism, and training pedagogy.
Given the importance of free and open knowledge in the security and journalism communities, I figure Tinfoil is the perfect forum to share findings, connect interested parties, and continue unfinished conversations for those in attendance and abroad.
To get the ball rolling —
I co-facilitated a discussion (session notes linked) about conceptual/cultural/consumer barriers that inhibit the adoption of digital security tools and practices in various at-risk communities.
As a group of trainers and trainees, we anecdotally identified a list of these barriers. The goal of this exercise was to brainstorm way to respect and confront unaddressed trainee needs that hinder the adoption and retention of the curricula we teach.
In short, the barriers we ID'd were:
-Linguistic and cultural biases based on age/gender/political background/etc.
-Limitations of organizational time and resources
-Lack of motivation for adoption
-Emotional trauma influencing comprehension and presence
-Assumption of importance of training for recipient (against the day-to-day priorities of trainees)
-Absence of digestible linguistic and visual models to talk about security and encryption
-Separation of online/creative/technical communities hinders diversity of thought
-Absence of toolkits/tools for diverse/marginalized user groups
-Bureaucratic BS
-Lack of availability/resources for training of trainers
-Ethical quandary of authoritatively recommending certain tools (fear of "security marketing")
To re-open the conversation —
What other hindrances have you witnessed in digisec trainings? Have you had success breaking down barriers? What groups are already doing inclusive work that you'd like to shout out?
On the barriers of bridging the gap needed to explain security technology concepts to people, Jigsaw and The Washington Post have just released the Sideways Dictionary: a glossary that uses analogies to explain technical terms in layman's terms: https://internetfreedomfestival.org/wiki/index.php/Fostering_a_New_Digital_Security_Pedagogy_for_More_Inclusive_Trainings
It seems like a great resource for security trainers!
Here are some things I've learned from teaching security trainings, both as an organizer and as a trainer:
Don't dumb down the material. People who show up to these trainings are mostly smart and want to learn. I cover high level concepts thoroughly, but instead of using technical terms, I use complex metaphors that are grounded in the audience's everyday experience. Technical terms are a useful shorthand, however, so after employing a metaphor and making sure that the participants understand the concept, I introduce the term so that I can dispense with the metaphor. This helps build conceptual understanding and introduces participants to security and cryptography terminology. I've encountered trainers who think that meeting people where they are at necessarily means dumbing things down. I really disagree with this approach. I think it hinders knowledge transfer and consistently underestimates the training participants.
Thoroughly introduce relatively advanced concepts first, then introduce relatively simple tools that demonstrate those concepts. This gives participants the requisite conceptual orientation to understand the security implications of tools, so that they can make their own security decisions later, without following a checklist. Simple tools that demonstrate the concepts that were covered are important, because they give participants a confidence boost. Introducing cumbersome tools earlier can be demoralizing; participants are more likely to conclude that they are "not a tech person," and will just follow the advice of "experts," instead of getting excited and wanting to learn more, which is what you want.
After the training, keep in touch with people who seem really gung-ho and mentor them. There's always going to be one or two people who are really fascinated and want to learn more. By developing these types of relationships over time, you can foster local experts in multiple organizations/communities, who will act as force multipliers. If you make yourself indispensable as a security trainer, you're doing it wrong. The point is to make yourself redundant by building up competence around you.
If I'm not familiar with the types of security threats the participants face, I open with a casual discussion with participants to find out what their security needs are, and then let them choose what things I should try to cover.
I like to mix 10-20 minute info dumps with 10-20 minute break-out sessions where people do stuff on their own machines. Then I wander around and check in on people. I like to close with open discussion as well as Q/A.