Role play is effective because it involves all our senses to arrive at conclusions based on a scenario and some goals. It is way better than the archaic 'Sage-on-Stage' style of lecture.
But role play requires more preparation, time and patience. The facilitator must also be very knowledgeable in the domain knowledge to literally hit the ground running.
Information security is an ideal subject to be taught with role play. It is by itself dynamic and action oriented. Information security architecture, design and implementation of technical and non-technical controls, essentially pre-empts certain fraudulent or unauthorised actions from taking place. Given such dynamism, students of information security need to have the presence of mind to relate and react to incidents.
For facilitators, here are 5 Steps to Take in Security Incident Role Plays:
1. Create a scenario
- If you have not encountered a real-life one, look them on the Internet.
- Make modifications to the scenarios so that they protect the guilty and the victim in the incident.
- Make modifications so that it is practicable for a classroom role play. For instance, if there is going to be roofs collapsing in the scenario, you have to think of ways to simulate it effectively.
- Try to make the exercise visual. It is easier for your participants to react to.
2. Assign roles
- Put depth into your character. Give your roles the motivation and the penalties for failure.
- Put boundaries to what they are allowed to do and otherwise. This is not to limit their creativity, but to pin them down to some realities in an incident. For instance, it is unlikely that they will have an unlimited budget to solve the problem.
3. Break each role into groups for discussion
- Ensure that everyone in the group participates and there are no passengers.
- Allow the participants to learn from their commonsense - effectively starting in the middle from an observation and building their findings upwards or downwards in the hierarchy of knowlege.
- Sometimes, you may have to intervene to ensure that there is fair discussion, that no one is trying to impose their values on the other. Note that this is not necessarily taking sides of who is right or wrong.
4. Video the role play
- With today's very affordable access to technology, it costs next to nothing to record the performance.
- It is fun and it compels the participants to take the exercise seriously. In odd cases, you may get groups of them giggling and laughing all the way through their performance.
5. Review of what is learnt
- List down what is learned.
- Rationalise the list and compare it with what is established in the text book or industry practice. Are they different? Discuss why.
- Note the gaps of what is still not realised or learned and plan them as learning goals in the next role play exercise.
Watch this space for the next article about "Learning Programme Development".
There, you move to managing knowledge in the organisation, prioritising the areas of upgrade, planning internal skill mobility and leveraging the skills to grow the business.