Month: April 2022

EdTech beyond the lockdowns

I thought, following my recent panel discussion at the Schools an Academies Show in London I would write a short post on my thoughts on the 3 key questions posed as part of the session.

Delivering the curriculum beyond the physical classroom: how can schools effectively implement hybrid learning plans?

Some schools have been doing this for some time, using the flipped classroom for example.    The issue is it needs to work for your school, your context, staff, and students.   It needs to work for your hardware and infrastructure, etc, so just because an approach worked in other schools doesn’t mean you can simply pick up that solution and replicate it in your school.    So, for me it’s about experimenting a little, and taking it slow.   A large part of effective hybrid learning, is the same as traditional face to face learning, and about building up effective learning habits and routines, but this takes time;  We need to allow for this time.   Use what has been learnt over lockdown as to what worked and didn’t work in your school and go from there.   But yes, look at other schools and what appears to work, but pick carefully at the elements of their practice that you wish to implement, and then give these approaches time to embed before seeking to advance further.   And make sure to engage the teachers, students and parents in planning.

Do we finally have enough proof of the pedagogical efficacy of EdTech?

Given the variety of uses of edtech, edtech products, planned outcomes (e.g. academic, or soft skills, global awareness, etc), staff skills, equipment level, student tech skills, etc it is difficult to assess general efficacy accurately.   As I wrote in my last post, it is a bit like assessing the efficacy of a bunch of hand tools, including some hammers, screwdrivers, hand drills and saws.   Their efficacy depends very much on what they are being used for (e.g., using a screwdriver to hammer in a nail) and the skill level of the user, that of a DIY’er or an expert craftsperson.  As such I am not sure what value there is in the question, given the large number of variables involved.   I also note that the more variables involved the greater the likelihood of high levels of variation in results from different research studies plus a tendency for the generalised results to regress towards the mean, and a likely insignificant impact being suggested.   I therefore believe we need to look at a different question, and whether EdTech has the potential to bring about positive improvements or impact in teaching and learning.   Her I believe we already have proof that when used well, it can have a positive impact.   We also have proof that without it learning during a pandemic wouldn’t have been possible, or not to the extent that was achieved.   And we can see we now live in an increasing technological world.   So, if the core of the original question is do we have evidence to support the continued use and required investment in Edtech, I would say yes.

How can leaders empower educators to discover the potential of technology in teaching?

This is about sharing and the organisational culture in my view.  Establishing opportunities for people to share ideas and what worked as well as seeking support on what didn’t.   It is also about encouraging sharing beyond the school using the various sources out there such as Apple Distinguished educators or Microsoft innovative educator experts.   For me twitter is often the go to place and I have heard it described as “the best staffroom in the world”.    So the sharing gets the ideas as to things to try, and then they need to be put into practice and this is where culture and climate come into play.   The climate of the school has to be warm and supportive, and the culture open, thereby empowering people to try things in the knowledge that, they may not work as planned, but where they don’t this simply serves as a learning experience to be shared to help the collective teaching and student body move forward.   In all my years working in education, and using EdTech, or simply technology in education, I have tried lots of different approaches, apps and other tools, with some working well and some not so well.  The key has been I have been lucky to work in schools and colleges which were supportive of these attempts, the potential for them to bring about improvements, but also the acceptance that some might not work.    Now obviously this isnt about throwing out a new app for all students in a school to use and running the risk of a negative experience for all students, but more about piloting and trialling with small groups where, should things don’t work, it is easy to discontinue the trial and recovery or address any negative impact.    Looking back to the question, the key words are discovery and empower;   This requires experimentation, people to feel valued and supported to innovate, the need to share so experiences are collective across staff/students rather than limited to a given teacher or class, plus there needs to be acceptance that the discovery made might simply be that a given tool or approach doesn’t work for your students.

Conclusion

I think the pandemic has both shown the importance of technology in education, plus has helped move schools and colleges forward, driven by the immediate need of the pandemic.    Now the pandemic is (hopefully) receding, we now need to build the intrinsic need and want to continue the development of the use of technology in schools.    It also needs to be something not just put in place now, but something sustainable in the longer term, so a simple purchase of infrastructure and devices in the coming months or year is insufficient if it isnt backed up with a plan for ongoing upgrade and replacement into the future.     I suspect we now stand at the point where the rubber band may be stretched, encouraging a tendency for us to start to rebound back to the “way things were before the pandemic”, so it is now, more than ever, important that we push forward.

Schools and academies Show, London

Am attending the School and Academies show in London this week including being part of a panel session discussing “EdTech Beyond the Lockdowns: Reaching a Long-Term Balance Between Distance and In-Person Learning”.    Firstly, I have my fingers crossed that I can manage to get to London and the event without any of my usual travel mishaps, and if any travel mishaps have to happen the happen after I have finished the panel session.

As always, one of the big benefits to these events is simply the networking side of things and getting to meet and discuss various educational issues with colleagues from schools and colleges from across the UK and beyond.    I note that the Association of Network Managers in Education (ANME), of which I am an ambassador, have a stand (D34) at the event, so it is likely I will spend some of my time there catching up with other ANME members.   Hopefully, I can get a few more selfies at this event, than I did at Bett earlier in the year.

In terms of the panel session, one of the questions posed relates to the efficacy of EdTech and this has got me thinking.    EdTech covers such a broad range of tools, from visualisers to bits of software, AR/VR headsets, the dreaded interactive whiteboard, and many other technologies.  In addition, each technology may be used in different ways dependent on the students, the curriculum content being covered, the access to equipment, etc, plus the impact of EdTech will depend on what impact is being sought, the skill level in tech use of the teachers and the students, the organisational culture of the school plus its climate, along with a multitude of other factors.    In seeking an analogy, I wonder if seeking to access the efficacy of EdTech is much akin to seeking to assess the efficacy of hand tools such as hammers, screwdrivers, saws, etc.    It depends on user skill level, with a skilled tradesperson more likely to get positive outcomes than your average DIY’er.    It also depends on purpose, with a hammer used to nail together your shed seen as more positive, than a hammer being mis-used as a weapon of violence.     As such seeking the general efficacy of EdTech seems a little difficult, or possibly even a little meaningless. 

Maybe we need to change the question and focus on the potential for positive impact.  On this front I think there is plenty of evidence of specific technologies being used in schools and colleges to positive effect.   From this I think it is also possible to identify some of the features which support technology to have a positive impact in schools, such as appropriate staff training, an open and supportive climate which supports innovation and experimentation, collaboration between staff as to successes and challenges plus students and staff who are engaged in what and how technology is used.  

I am looking forward to being part of the School and Academies Show event and to sharing my thoughts, to seeing what exhibitors are there, to networking with peers and hopefully to NOT getting lost, on the wrong train or a similar travel mishap.

Short: Exercise is like Tech Strategy

I thought I would try out a new short blog format, writing slightly shorter blog posts (around 500 words) which get quickly to a point, issue or idea I would like to share.   Hopefully, this will make these posts quick and easy to read, and also quick and easy to produce.

Over the last few years, I have been working hard to try and getting a little bit fitter and healthier.   Initially I experimented with different things such as walking, jogging, and also considered maybe an exercise bike or rowing machine.   Eventually I plumped for running as my choice of activity and found out that the best time for me to do this was first thing in the morning before work.    Next, I tried out the couch to 5k app, and found it worked for me, so I started the programme.    According to the programme it should have taken 9 weeks but for me it took quite a bit longer as I struggled with particular weeks or struggled with motivation or had to step back due to ill health.   When I finally completed couch to 5k, it had been far from the straight-line programme that was originally presented to me by the app and had taken far more than the 9 weeks proposed.

And this is where I draw comparisons with school tech strategy and planning.    It may look like a straight line, a nice project plan, etc, but it is seldom that simple.   There are things we won’t have predicted which will go wrong and therefore require the plan to change.    There are things which will go well, or even opportunities which will present themselves, which weren’t available at the outset.    Basically, like my efforts in running, things are seldom as simple as they seem, plus there is always a need to review and revise plans as you progress.    As such there is a need for flexibility plus a need for acceptance of where things go wrong or fail, accepting them as “just not yet” rather than a finite conclusion.

Fast forward to now, I have completed couch to 5k repeatedly but after a period of a month of not running, am only now back out on the road again.   The issue is I am struggling around the halfway point of couch to 5k, a programme I have repeatedly completed.   My absence away from running for a short period has been enough to see my ability to run reduced back from what it was when I last completed couch to 5k.

And here again is a parallel with tech is schools;   My fitness was only as good as my continued focus and habit.    Equally with tech strategy in schools, it needs to be continually reviewed and given some focus and some effort to keep moving it along, improving and building.   If we don’t do this, whether it is training, procurement, planning, etc, then things will likely start to regress.   And as we come out of a period of pandemic, and a period which has seem such a massive surge forward in terms of tech use in schools, this potential regression worries me.

Personal exercising is like tech strategy.  It requires habitual effort.    It seldom is a straight-line process and will likely involve setbacks as well as successes.   But in the end, the eventual gain is worth the effort.

Thoughts on password strength

Passwords continue to be a key feature of identity management.    As such we need to continue to educate and build awareness around passwords and password management.

As such I have noted a graphic like the below (taken from Hive Systems via Tech Republic) regularly shared in relation to the time taken to crack a password based on different scenarios of password format and length.   The issue for me is that the below paints a picture, which although useful in some ways, overly simplifies the situation.

from Hive systems via TechRepublic

Statistics, statistics and more statistics

The graphic is based on the time taken to progress through all known combinations for a given password.     So, for example, to crack a password of 8 characters based on numbers-only I need to first know that the password is made of numbers-only and therefore that I am only testing these combinations.    So, I would test 1 then 2, 3, 4 and just keep going up through the options.   Now it might be fair to always test numbers-only first, expecting use of numbers-only to be common enough and therefore low hanging fruit for a cyber criminal’s point of view.   It might then equally be fair to suggest that lowercase, mixed case and numbers and mixed case with special characters might each be tested in order based on likelihood and number of combinations presented.    At this point the exercise is feeling like an exercise in obsessive compulsive disorder, in going through every possible combination in sequence, rather than an exercise in trying to quickly and efficiently crack a given password.

And to make matters worse if my password happens to be “Password” or “Password22” then I suspect it would be cracked far faster than the reported 2 mins or 3 weeks respectively.   

Human behaviours and social engineering

The issue here is, if we are truly trying to be efficient in cracking a password we would approach from a heuristic point of view and look at common human behaviours.    We would look at the need for people to remember passwords easily and therefore identify the likely tendency to pick common passwords, passwords relating to recent events or seasonal celebrations, etc.    Rather than seeking to work through every combination we would seek to work through the most common combinations and variations of these common combinations, happy in the fact that as a human set the password they may have fallen into one of these common human behaviours.    And it is at this point that the graphic no longer works for me.

We would also look towards other data as passwords are not set in isolation.   We each set our passwords against the backdrop of our everyday lives, our work, our challenges and our successes, so access to any data on these things can yield information which can be helpful in cracking a password.   And oh, does social media and a quick google search help to provide this data.  So again, the graphic starts to fail us.

What makes a strong password?

Password length definitely does help in making passwords stronger so in this feature the graphic is useful, but it isnt the single measure which I think the graphic implies it to be.    As to the mix of uppercase and special characters, etc, I think in this day and age, this makes limited, but I cant say no, impact on strength.

The factor that the graphic badly misses is the issue of how common the password is likely to be.   If it is common, so relating to a current event or a seasonal event, to the company you work for, or to something else that might be predictable based on the world we live in or you as an individual, based on what can be publicly ascertained about you, then the graphic falls flat on its face.   

So, what can we do about it?

I think sharing this graphic is useful in terms of pushing the need for longer passwords but I think we should take when sharing this graphic on its own.    I think it is useful sharing HaveIBeenPwned’s password testing functionality alongside the graphic such that individuals can use the graphic to assess the length but then use HaveIBeenPwned to assess how common a password is, in the number of times it has appeared in recorded and reported data breaches.

As is often the case, as we seek to find and communicate a message, making it as simple as possible we start to lose some of the detail, and in this case I think the importance of how common or predictable a password is, is a key detail which mustn’t be lost.

References:

Lance.W. (2022) ‘How an 8-character password could be cracked in less than an hour’, TechRepublic, 7th March 2022. Available at: How an 8-character password could be cracked in less than an hour | TechRepublic (Accessed: 12/04/2022).

Cyber and Learning

In schools we need to keep student data secure however equally we need the flexibility to use different learning platforms and tools in the search of effective learning experiences.   There is a clear tension between these two requirements, where it would be fair to consider then the opposite ends of a continuum.    On one end you could have a very secure system, similar to in highly regulated industries like a bank, but in doing so you would lose some of the flexibility needed by teachers.   Alternatively you could have a very open and flexible setup but in doing so would likely open your schools to increased cyber risk.   So how do we navigate the continuum?

The security paradigm

In my view, part of the challenge here is the security paradigm of keeping systems and data secure.    The reality is that we can only measure this after the event, so for every day we don’t suffer an incident, we have achieved this requirement, and we need to achieve this requirement indefinitely.   A single incident would therefore represent total failure.    In the complex world of IT with ever changing threats, this model doesn’t work.

I think we need to accept that if we look far enough ahead there is a certainty of an incident.    As such, we need to make sure this is understood at the senior levels of the school, and then seek to do everything reasonably possible to make sure that incident stays in the future, or failing that, limit the damage caused by an incident.   In considering probability of an incident it’s almost like the doomsday clock, ever moving slightly closer or further away from global catastrophe.

Risk Appetite.

One of the first decisions which I think schools need to identify is their risk appetite.   The more risk you are willing to tolerate, the closer the doomsday clocks hands are to midnight, but the more flexibility you have available.    The less risk you are willing to tolerate, the further away from midnight the doomsday clocks hands are, but the less flexibility you will have.    All schools will have a risk appetite somewhere between the two opposite points, but the question is where on this continuum and how much closer it is to cyber security or to flexibility and learning.

Risk Assessment

The next thing to consider is risk assessment.  How can you seek to manage and mitigate risks if you don’t know what they are?   The more flexibility you need the more risks you will likely need to document.    One of the benefits of risk assessment is to spend time considering what the risks might be, their likelihood and their potential impact.    This then gives an opportunity to prioritise resources to those risks deemed important to the school.   I think it is also worth noting that any risk assessment should be a working and living document, as the nature of schools is one of constant change.

Documenting decisions

It is important that senior staff are aware of the decision-making processes, decisions and risks and therefore it is critical that the risk appetite and risk details are shared with those staff to ensure they are appropriately informed.   This can help with identifying where there is need for additional resourcing but also to identify where risks remain due to mitigation measures being cost or otherwise resource restrictive.   If your focus is on learning, you need to ensure you clearly document the resultant risks which the added flexibility will have opened up.  

 It is also important to remember we will only be able to identify failure in the future, after an incident.   When this happens, we will want to look back to see if the incident was the result of decision, and if so why we took this decision.   Or was the incident simply something which we didn’t consider in our examination of the likely risks?  This requires the decisions around risks to be clearly documented.

Near Misses

Am also going to mention near misses, something I frequently forget to mention.   There is a lot to be gained in terms of knowledge and experience from those “almost” incidents where we come close to a cyber incident.   We need to therefore find ways to capture such incidents, to encourage users to report near misses, etc as otherwise we will have lost valuable intelligence, leaving us only with actual incidents to learn from.

Conclusion

There isnt one answer or solution for all schools in relation to navigating between cyber security and learning/flexibility, however each school will need to consider and make their own decision in this respect.     It needs to be based on context, needs, resources and a variety of other factors, and it should be a concious decision rather than something that simply happens.

On the cyber security side of things, I believe the focus has been for too long on prevention.   Schools don’t have significant cyber security resources but are an enticing target for cyber criminals, so prevention on its own isnt enough.    We need to accept that an incident will happen and therefore shift to a focus on minimization or delay, mitigating risks to delay the incident further into the future, or mitigating risks to reduce the damage when the incident finally does occur.   For this reason I increasingly like the term “cyber resilience” in preference to “cyber security”, as it hints to the need to ready to respond and recover from the inevitable cyber incident.  

Maybe we should all start including a cyber doomsday clock in regular communication with senior staff;  Is this the way forward?