Month: October 2021

Developing User Self Sufficiency

I have previously written in relation to the large number of support calls received by IT departments in schools especially towards the start of the new academic year.   A significant portion of these calls relate to users forgetting how to do something using technology, with a number of these relating to what I would consider simple issues.    Using Windows+P for example is a common solution to the common problem of computer displays not showing on classroom projectors, instead showing only on the desktop monitor.  But should IT teams still need to deal with such simplistic issues in a world where Google can quickly serve up the answers?

Self Sufficiency vs. ease

I suspect one of the challenges here is simply ease.   With a good IT support team, a simple issue can be quickly solved with an email or a phone call, with little effort on the part of the user.   This ease of solutions, with every occurrence, reinforces that this approach is the easiest, most convenient and therefore the correct and preferable approach (for the user at least!).

A preferable solution viewed either from the long-term point of view or from that of busy IT support teams, is that users be able to fend for themselves, that they are willing and able to make use of Google to find solutions to their own problems.   Again, if this was to become the common approach, it would eventually reinforce itself as the best approach.   In doing so users would become more self-sufficient and resilient to issues, while IT support teams would be freed up to deal with the issues which are more technical in nature or cannot be solved through a simple Google search.   This always reminds me of the teaching approach used in primary schools of “C3B4ME” or see 3 before me, which encourages students to ask friends, search the internet, read books, and generally consult 3 sources before approaching the teacher in relation to a problem or challenge.

Part of the challenge in the above may relate to the cognitively demanding nature of teaching.   A teacher is considering content knowledge, pedagogical knowledge, the individual traits, and behaviours of each of their students, assessment (formative and summative), timekeeping and many more things in a lesson, so if the cognitive load can be reduced a little by fielding IT issues to IT support, I can see why this may occur.

Usability

I also think it’s important to acknowledge how system and app usability has changed over the years.   When I first started using IT most products, including productivity software and even games, came with detailed instruction manuals.   Now I will admit to not reading these and instead jumping straight it, which is how I suspect most people would have operated, but when you hit issues you had something to refer to as this was therefore you first port of call.    These days more consideration has been given to usability making the learning curve for many apps shallower than it may have been in the past.  Detailed instruction manuals are no longer provided as solutions are more “usable”.  This seems like a good thing, so why do IT support teams still get so many calls?

The general perception of usability is correct in general terms, but when looking at specific solutions in schools it may not hold.   So, a user might have been able to work out TikTok and Facebook on their own with no help but when they hit the schools management information systems (MIS) they struggle.   The MIS is then saw as highly specialised, which to an extent it is, so this merits a call to IT support rather than a look at the help tools or a Google search.

What are IT Services for?

The other question I have in relation to this issue is, if users do become more self sufficient and solve more of their own problems, what does this mean IT Services teams will be doing?   As I mentioned earlier, I believe they would simply be freed up to focus on more technical issues which can’t be easily solved through the support of Google.   I also think the extra time available would also allow them to spend more time looking at how to better use technology, rather than simply repeating the same solutions to repeatedly occurring simple issues.

Conclusion

The challenge for IT teams of encouraging user self sufficiency while still being helpful and user focussed is an ongoing and long-term challenge.   Human habit, ease and user confidence are all wrapped up in this, making the challenge very much a human rather than technological challenge.   This is an important consideration and to me highlights the need to focus on a longer-term plan and the little day to day actions, including the potential to “nudge” behaviours towards the intended outcome of improving users technological self-sufficiency.  

Ultimately IT teams in schools want to see technology used to maximum impact.   I think developing user self-sufficiency in relation to technology, and likely user confidence as associated with self-sufficiency, will help us better achieve this.

Building user awareness

When thinking about cyber security the first area I always put first is developing user awareness as to the risks and what they need to do should they make an error.  Given that most data breaches tend to have user involvement at some point in the incident, often at the beginning, it seems logical to focus first on user awareness, but how do you build user awareness in a busy school?

The old inset model (Compliance)

This is the model by which the training is put on once per year likely at the start of the year with everyone in the school forced to attend.   For me this approach is more about compliance than about improving awareness or understanding.    It makes it easy to prove that all users have been “trained” as you can point to an attendance sheet for example, however in the busy world of schools it is likely a fair part of your audience will be focussing on other tasks rather than the content being presented.   It doesn’t necessarily result in users being more informed and aware of cyber risks than they were prior to the session.  This approach also fails to take into account the constant evolution of cyber threats and the cyber threat landscape.    As such, this model of the once per year training event is no longer sufficient on its own although it still makes for a useful approach when combined with other approaches.

Regular communications and updates

My favoured model of cyber awareness development can be summarised as “little and often”.   I make use of the schools regular bulletin to share examples of phishing emails received in the school, plus tips on how to identify them.  I am increasingly making use of video to share short presentations of 3 or 4 minutes long outlining emerging risks or emerging trends.    The key for me is to make cyber security awareness content something that all users consistently come into contact with on a weekly basis.   Hopefully by doing so they will be more concious of the risks.  Basically, I am using the availability bias to hopefully develop user awareness.

I will also note one important thing here is to vary the content as if the content is always the same it may eventually become ineffective.  As such I use a mix of my own video content, NCSC and other cyber organisations video content, written content with annotated screenshots and even the odd cyber security sea shanty (See here for the cyber sea shanty if you are interested.)

Testing

One of the big things about awareness development is being able to test that it is working.    If your training is about compliance the only test you need is to check that your attendance list has everyone’s name on it but if you are truly after user awareness development you need to check that users awareness has actually developed.   An easy approach to this might be a simple short quiz including alongside new awareness content, with a focus on helping users identify what they don’t know rather than centrally providing scores.   A centralised focus on these scores once again is more about compliance rather than the actual users and user development.   An alternative approach might be regular phishing awareness tests to see whether users fall for a phishing email, or whether they report the issue.   Reducing numbers of users falling for such tests, and increasing numbers of users reporting emails to IT teams both representing improvements in user cyber awareness.

Fear of reporting

Another big challenge is trying to ensure users understand the importance of their vigilance and care in relation to cyber security, and the size of the risk both to them, to the wider staff and students and to the school/college as a whole.    The balance here though is that we need to balance this out against creating fear in users to the point that either they are reluctant to use technology or are reluctant to report concerns or issues. 

For me encouraging people to report is critical both in terms of quickly identifying any issues, but equally importantly in terms of identifying misunderstandings or near misses.   From this information we can refine training and awareness development approaches.    We can basically seek to use the ongoing reports to continually learn and develop as an organisation, in relation to cyber security.

Conclusion: Building a culture (The long road)

It still worries me that some organisations continue to treat cyber security and also data protection as a compliance issue;   For me this is a shallow approach.  The true challenge should be to develop user awareness such that we shouldn’t need to be too concerned in relation to compliance.  

Awareness development in my view isnt a single training session or even a number of training events, tests, etc over the course of a term or academic year.   It’s a longer term project.    Its about building a cyber security culture which isnt a case of days or months, but can be best measured in years.    As such the sooner we all get started with this the better.

There is no tail

I have previously written about how technology is sometimes seen as the solution to all problems, even where sometimes the problem relates to process or people, and therefore is unlikely to be significantly addressed by technology.   A related issue is where technology is seen as the silver bullet but able to act on processes without the engagement of the process owners and those the understand the process. Basically where IT teams are asked to solve a problem using technology without the support of process owners.

This issue often raises memories of concerns being raised as to the tail wagging the dog, in relation to technology, or concerns that what should be happening in relation to an organisational unit or process is controlled and directed by the technology.    I have always understood this view as a teacher.  The process, learning, shouldn’t be directed by the technology, it is the students and the learning which should direct things.    The issue though is that this is overly simplistic.   There are limits of technology, there are risks related to technology use, there are drawbacks or disadvantages as well as advantages to using technology.    As such the technology available, risks, etc need to be taken into consideration and as a result may influence and direct how technology is used in learning, and therefore the learning itself.   It’s a two-way street, although on a continuum I will always come down more on the learning or process side of things rather than the technology side.   Technology should be an enabler.

My concern here is where the IT or technology staff are asked to come up with a solution to fulfil a certain need, IT is the silver bullet, but the task is almost handed off to IT staff rather than engaging IT and technology staff in a partnership with the owners of the process or issue concerned.    The IT staff are unlikely to understand the process in question so how are they to develop or identify a solution which would meet the requirements?  Even if they identify a solution which meet the end requirements, there is the potential that the process involved will not meet the needs or requirements of the process owners.    In order to be successful this challenge needs to involve both the IT staff, bring technology and IT understanding, and the process owners and operators who understand the specific needs and requirements around the process being looked at.     The two groups of staff need to work in partnership each bringing their own expertise, knowledge and experience.

Conclusion

IT projects have a horrid habit of going both over budget and over time.  This tendency occurs across different industries and also within education.    IT staff might not fully understand the problem, the process owners might not clearly communicate the problem, IT staff may try to apply the problem to the solution rather than finding a solution for the problem, there might be scope creep over time, and that’s just a handful of things which can make an IT project more complex than is ideal.   For me the key is partnership and each group of people bringing different things to the table.   What if there is no dog and there is no tail?

The Wi-fi’s not working? Or is it Facebook?

The other days outage of Facebook, WhatsApp and Instagram highlighted to me the complexity of internet services, and how they rely on various technologies, hardware, software, and companies to make things work.  This is the reality, yet the perception is that it is simply “Facebook” or “WhatsApp” a single simple service.

The same is true in schools in particular in relation to Wi-Fi.   How many times have I heard about issues with Wi-Fi?    I would suggest, too many, yet “the Wi-Fi isnt working” implies simplicity where it doesn’t exist.  The need to “fix” the Wi-Fi suggests a single point of failure, a single issue or technology to look at, where in reality the service relies on a number of different technologies and different companies to make work.

Some possible issues

Starting with the user device might be a useful place to start.   This can impact on Wi-Fi.   Recently my team came across a device where the DNS (Domain Name System) server was set to that of Google on the device rather than getting the DNS from the schools’ network.  For safeguarding reasons, we want to see the DNS requests so prevent the use of DNS servers other than our own so this student instantly had issues accessing internet services due to this.  I suspect they may have changed the DNS server for the purposes of bypassing home filtering such as that provided by the likes of Sky broadband.    Next there are students who may be using VPNs to bypass filtering.   Again, depending on the VPN used, this might impact their internet connection or the speed of their internet connection.    Updates which havent been installed on devices may also have an impact or possibly updates to the apps on device rather than the device itself.        

Moving beyond the device, the Wireless Access points may cause issues in terms of signal strength or in terms of their capacity to handle requests for different connected devices at the same time.   I will admit they also may occasionally fall over of their own accord.   It may also be that a “noisy” device is saturating the APs with requests leading to an impact on the service.   Or the issue could be to do with network switching or even the internet bandwidth available to serve all users.    Again a noisy device on the network could be impacting overall network performance.   Your DNS servers or DHCP servers, which provide devices the IP address they require, could also be at fault if they are not operating as they should.   And this is just scratching the surface of the potential causal or contributory factors.

And it doesn’t stop there; The issue might not even be within the school and could relate to issues with the service or site the students are trying to access.   It may be a reputable service which is simply having issues at a given moment in time, a bit like the recent Facebook issue, or it could be a less reputable site which simply isn’t trustworthy or reliable.  It could be that the site uses authentication from a third party, such as Facebook, and this is what is causing the issue, or that the site uses an Infrastructure as a Service (IAAS) vendor and it is they who are having problems.    It could even be a largescale internet routing issue.

Conclusion

This all makes me thing of the Arthur C. Clarke quote regarding advanced technology being indistinguishable from magic.   The challenge is Facebook and internet services in general appear to be simple, in we can all easily use them.   There is no magic there, and as such there can be no magic in their inner workings.    Or at least that is the user perception.  This however is untrue.    There is magic.    There is the magic of so many different technologies, hardware, software and companies working together in unison to deliver the services we come to expect, or at least doing so most of the time.    That is until something goes wrong somewhere in the chain leading to that familiar cry:   “The Wi-fis not working!”

Technology can solve all?

Sometimes there is a belief that technology can make all processes more streamlined and efficient.   I will admit that technology does have the potential to make some or maybe even most processes a bit more efficient through automation, validation of data, etc.   It can also allow us to reimage workflows and processes, however there are times when this isnt the case.

The issue I am getting at here is trying to use technology to solve a problem where the problem itself doesn’t exist in the technology domain.   This might be using technology to solve a human problem or using technology to solve a problem with a given process.

Consider a complex process involving lots of different people who provide approvals at different stages of the process.    This might be seen as a poor process as it may result in action not being taken due to a small number of people not responding or providing their approval.  If this is a manual email-based process it seems logical to use technology to make the process more automated and remove some of the manual processing from the equation.    We might be able to setup reminders, etc to stop people failing to respond.   The issue for me is that the problem may be the complexity of the process.   Does it need to be done this way?   Why do we do it this way?    Is it simply because we have always done it this way?   Does it need all of these approvals?    Could the process be simplified?  

For me, before we look at using technology, I think we need to examine the underlying processes, people, etc first with a critical eye.   We need to avoid trying to use technology as a blunt solution to solve process or people related problems, instead dealing with these problems first before then looking to technology.

This isnt necessarily easy.  In the past I have spent time with departments looking at and mapping their processes and then querying why each part of the process exists.   In some cases there has been a reluctance to accept any changes (“We’ve always done it this way”) therefore either necessitating a bespoke solution or a highly complex off the shelf setup.  Neither of these options work due to potential costs, both financial or resource, and dangers of fragility associated with complexity.  In these cases, I have had to walk away and indicate there may be dissatisfaction with current processes, but there is also a lack of willingness to make concessions and accept change as required of any new solution.   It’s a no deal situation.

I continue to want to support the greater use of technology generally, but I am equally concious that we need to use technology where it matters and where it has impact.    Sometimes technology might only present a marginally gain but at high cost.    We cannot simply look at an issue and expect technology to solve it.    It’s that old, famous phrase: “crap in, [technology enabled] crap out”.