Approaches used for Training

From the empirical data, two groups could be identified regarding the proaches used in the trainings. These approaches were student-centered ap-proach and content-centered apap-proach. In student-centered apap-proach, aspects such as the learners’ work tasks and abilities were mentioned. In content-centered approach, aspects such as relevance to real-life risks and building gen-eral knowledge were central. These two approaches can also be visible in both cyber security training and adult education frameworks.

In the empirical data, student-centered approach in teaching was brought up in the importance of the learner’s role, abilities, and relevance to free time. In cyber security training framework, Karjalainen (2011) perceives

that students should be seen as the vital part of the training as their previous experiences guide their learning. As a basis for her pedagogical requirements regarding effective information security she uses transformation-orientation. In addition to seeing learning to be constructed on previous experiences, Kar-jalainen also sees that the learning should be communal. What this means in regards to teaching approaches, is that the students as a group form new knowledge. Thus, the approach should be student-centered and the content should be formed around the learners experiences. (Karjalainen, 2011)

In addition to these pedagogical requirements, Karjalainen brought up the key entities of information security training. The entities included an explicit asset, which means that the content of the training should be seen as crucial as the learner to reach full efficiency. If the training is not relevant in the protection of the asset, then the training is not efficient and thus is unnecessary.

(Karjalainen, 2011)

In her research, Karjalainen (2011) also recognizes that the objective of the training is goal-oriented, and it is noncognitive and persuasive. Based on Siponen et al. (2006), she argues that IS security training needs more normative training approaches, as the security procedures can be assimilated to norms rather than facts. Persuasiveness is needed in IS security training as the com-mitment to change is low. Non-cognitivism is based on the fact that the IS secu-rity procedures are not necessarily based on any science or facts but on organi-zational context. Lastly Karjalainen notices that IS security trainings usually are focusing on employees’ routine work instead of the focus being on exceptional cases or situations. (Karjalainen, 2011) This then indicates that Karjalainen also sees the content of the training to be as relevant as the learner’s previous expe-riences and the communal construction of knowledge. In other words, both student-centered approach and content-centered approaches are used equally in Karjalainen’s theory.

On the same lines is also Puhakainen (2009). As seen in previous sub-chapter, Puhakainen also has formed requirements that the training should meet in order to effective. These requirements are formed around the percep-tion that students’ previous experiences should be taken into ac-count.(Puhakainen, 2009) This can be interpreted that Puhakainen sees student-centered approach as vital for the training.

Also in Puhakainen’s design theory, the learning is happening in the third phase, which is called instructional design. Before this phase, the in-structional task has been chosen and the needed skills and knowledge to reach the task level have been identified. The instructional design phase in Pu-hakainen’s design theory is divided into two sections. The first section is for the employee to learn about the organization’s principles on information classifica-tion. Also, it should emphasize the importance of the classificaclassifica-tion. It is also addressed that the learner’s previous knowledge should be activated before the learning situation. The second section is about the specific risks related to the topic at hand. This should be done as instructor supervised collaborative work.

(Puhakainen, 2009) In other words, the content of the training sets the goals for

the training, but the skill levels of the learners in the beginning is also important to analyze, so that the training can target right aspects to reach the goals set in the beginning. Thus, Puhakainen also uses both student-centered and content-centered approaches in his design theory.

In the cyber security framework, also guidelines can be seen to ap-proach teaching situation from both perspectives. The NIST SP 800-16 (1998) introduces a matrix, which can be used in helping to form right instructional material for the training, which are specifically targeted to the participants. The goal of the matrix is to help in developing and designing proper and targeted training for different job tasks. The matrix is built with the training content forming three categories, which are divided into sub-categories. The main con-tent categories are:

1) Laws and Regulations 2) Security Program

3) System Life Cycle Security

The roles of the learners are divided into six categories. The categories are:

1) Manage,

Thus, the job role of the learner is perceived to be important as well as the con-tent. However, the guideline does not take into account the learners’ roles out-side of the work. The guideline is from time, when digitalization was not as central as it is nowadays, so that could be the reason for this lacking.

In adult education, the emphasis on the teaching approach is seen focused on the learner. Thus, the learner is central in the teaching regardless of the content. The framework also gives explicit claims on how the learner should be perceived in order the teaching to be effective.

In andragogy, six assumption regarding adults as learners are pre-sented, which can be seen as guidelines for teaching as well. The first assump-tion is the self-concept of the learner. This means that adults should be per-ceived as self-directive and thus responsible for their own learning. The second and third assumption are about adults using accumulated experience as the main source for learning and that adults also have readiness to learn. The latter means that different life related aspects, such as work tasks, need to be take into consideration to ensure that adults are capable to focus on learning. The fourth assumption is about adults’ orientation to learn and motivation to learn is the fifth assumption about adult learners. The last assumption is about learner’s need to know. Thus, adults need to understand why they need to learn some-thing. (Merriam & Baumgartner 2020)

Transformative learning theory also focuses on how transformative learning can be achieved from the perspective of the learner. Three fundamen-tal aspects have been recognized in regards to transformative learning, which

are seen teach for transformation. These aspects are: empowering learners, fos-tering critical reflection and self-knowledge, and supporting learner. With em-powering learners, three aspects should be taken into consideration: (1) exercis-ing power responsibly, (2) encouragexercis-ing discourse, and (3) involvexercis-ing learners in decision making. (Carton, 2011, 57)

In adult education, the communal aspect of the learning is per-ceived in the organizational learning theory. The underlying assumption in this theory is that the organization itself is evolving through employees’ learning processes. The learning can happen either intentionally or unintentionally, and the learning is communal as the overall learning is perceived to be greater than individual learning. The organizational learning is also important from the per-spective of the organization as it enhances the relevance of the organization in the markets. (Merriam & Baumgartner, 2020)

Thus, as a conclusion both of the approach groups identified from the empirical data can be seen as relevant from the point of view of the frame-works. Cyber security framework had both approaches used in an equal matter, and the importance of the learner’s context and the content was seen relevant.

This fits with the empirical data in that in addition to dividing the approaches to content-centered and student-centered, most the companies also distin-guished the student bodies regarding their work roles. This could be an indica-tor that they also use those roles to contextualize the learners.

In adult education framework, the focus is on the learner and thus the student-centered approach is emphasized. The adult learner can be per-ceived to have multiple different special qualities that should be taken into con-sideration in the teaching. Also, to achieve transformative learning special as-pects have to be taken into consideration. This can then be seen an enhancing the justification for the companies to use student-centered approach as one way to approach the learning and teaching situation. In the next sub-chapter the pedagogical methods used will be reflected.