Background

I’ve been working on Security belt programs for 10+ years. I’ve had the privilege to help build the Cisco Security Ninja program. I’m also continuing to develop our security belt platform at Security Journey. I’ve created over 500 pieces of learning content. I’ve created material and the assessment questions that go with it. I have an opinion about how best to educate about security, specifically the handling of correct answers. My opinion drives the ways we approach security belt programs.

Assessments and correct answers

Throughout this time, the most often repeated piece of feedback we’ve received is in regards to the correct answers for assessment questions. I decided to think through and write down my response to why I approach assessments the way I do.

My philosophy is to present a well-written question and four possible answers with one correct answer. After the user submits, if it is incorrect, we provide feedback on why the choice was wrong. Intentionally, we do not offer the right answer.

 

 

Users often reach out to let us know that most training platforms provide them with the correct answer after each question. My inclination is that we’re not like most training platforms. Our focus is on educating individuals and changing organizational security culture. We want those that earn security belts to understand the concepts presented. We want them to internalize the knowledge and apply it. The application of this knowledge is when security improves. In some cases, they may need to re-review a portion of a lesson to understand the correct answer. We provide a written transcript for each lesson, to assist the user in reviewing.

We want our assessments to be semi-challenging. If we provide the correct answers immediately, we weaken the assessment process by making it too easy. We want passage of these assessments to mean something.

If a platform provides the correct answers, as a result, there is a percentage of the population that will click through assessments to harvest all the answers for a specific lesson’s assessment. Brute forcing through the assessment is not a learning strategy. Even worst, I’ve seen places where the correct answers are compiled into a cheat sheet and shared to enable easy passage of security belts.

Conclusion

In conclusion, our focus is on strong and actionable assessments, as we want to help you build a strong security culture.