CreditsLast Updated 2016-03
This multi-part resource details the basics of the event planning process, built from the documented experience of several experienced trainers - among these steps are gathering inputs, analyzing these inputs, and their subsequent impact on the design, preparation and orientation of a training event.
The information gathered from participants (as well as context analysis) should give you an idea of what their most important needs are with regard to digital security and help you to sketch a draft agenda for their approval, based on the needs which you consider initially to be priority. Keep in mind that that draft will almost certainly change based on the first day of the training, when you directly receive and observe facts about the participants, their context, their needs, and threats that you didn’t clearly know beforehand.
Be clear with your contact what is and isn’t possible in a training in terms of addressing multiple problems or covering a large number of topics in a limited period of time. It’s better to underpromise and overdeliver than vice versa. It is also a bad practice to overpack a training with too much material delivered too quickly, especially if it’s delivered in a primarily lecture-focused or input-heavy classroom environment. This becomes even more ineffective and problematic if you are training partcipants on tools that are unuasable, dangerous, or least useful for them and their peer community.
Finally, given what you have learned and the parameters of the training, what are realistic outcomes to expect of it? How have you communicated this to the participants and, if applicable, to the hosting organization?
If you are in a position to select participants for the training (recommended if possible), you may want to take the following into consideration:
In some cultures, high-ranking staff or directors will often self-select into capacity-building opportunities like a training without necessarily being the appropriate choice, and their presence may stifle open communication among their colleagues. In other cases, they may send employees who are of too low a rank to influence organizational decision-making around safety and information security policies.
Furthermore, if there is a combination of position levels, more junior staff may self-censor when it comes to expressing operational shortcomings with security or other internal practices. In some cases, they send their IT lead who may be over-qualified and even check out of the training as a participant. In this last case, that IT lead or a similarly skilled participant can be an excellent ally and co-trainer for you to build into the training once you’ve identified them as both skilled and trusted by particpants.
If participants come from a number of different organizations, or even from different countries, what is the level of trust between them? Do any conflicts exist? Are there any pre-existing dynamics that you are aware of that could potentially give rise to conflict?
In an ideal world, you will have a relatively homogenous group as far as technical skill level, though this is rarely the case. Try to gather a group of similar skill level as best as possible before the event, with an eye to recruiting trusted members of their community who may be able to provide excellent co-training and support during the event.
If you’ve already arrived to discover a wide range of skills amongst your participants, try to ameliorate this without leaving participants behind, feeling disempowered, or feeling bored. This can be immensely tricky and is obviously easier said than done. Depending on the situation, you could consider pairing more skilled and less skilled participants up during activities and hands-on sessions, while being mindful of the potential pitfalls of this (less-skilled participants being left behind or feeling foolish, more skilled participants taking over a hands-on installation, etc.). You may also want to divide the class up if you have enough co-trainers available; although this can lose group cohesion, it may be a worthy way to mitigate the issue if a skills gap is too wide in the classroom.
If a training candidate has recently experienced a traumatic event, they are probably unable to benefit from a training. In addition, the training could add to their distress. To read more about this and how trauma and stress affects participants, trainers, and the training room, please read the The Psychosocial Underpinnings of Security Training resource.
If you are in a position to select the venue for the training, you may want to take the following questions into consideration. We also strongly suggest, if possible, that you spend time in the venue the day before the training in order to troubleshoot any issues once you are on-site at the training location.
When asking about the internet connection speed at a venue, try not to accept simply “good” as an answer. If you have contact with whoever administers the venue, try to get concrete statistics as to the upload and download speed. Bring a local router in case you need to set up a network for the participants, and if you’re at a hotel or conference location, be prepared to have the local IT admin add your MAC address if needed.
The event planning inputs should also help you define the best means by which to deliver the training (subject to the parameters mentioned above). What is most important to propose in terms of working hours and number of facilitators, given how many participants will be attending? What effects might cultural considerations have on the way you deliver the training? What about any technological or connectivity limitations such as trainee devices, low internet bandwidth, etc.?