Correct answers in our security belt programs

Chris Romeo
Chris Romeo
CEO & Co-Founder

Background

I’ve been working on Security belt programs for 10+ years. I’ve had the privilege to help build the Cisco Security Ninja program. I’m also continuing to develop our security belt platform at Security Journey. I’ve created over 500 pieces of learning content. I’ve created material and the assessment questions that go with it. I have an opinion about how best to educate about security, specifically the handling of correct answers. My opinion drives the ways we approach security belt programs.

Assessments and correct answers

Throughout this time, the most often repeated piece of feedback we’ve received is in regards to the correct answers for assessment questions. I decided to think through and write down my response to why I approach assessments the way I do.

My philosophy is to present a well-written question and four possible answers with one correct answer. After the user submits, if it is incorrect, we provide feedback on why the choice was wrong. Intentionally, we do not offer the right answer.

Users often reach out to let us know that most training platforms provide them with the correct answer after each question. My inclination is that we’re not like most training platforms. Our focus is on educating individuals and changing organizational security culture. We want those that earn security belts to understand the concepts presented. We want them to internalize the knowledge and apply it. The application of this knowledge is when security improves. In some cases, they may need to re-review a portion of a lesson to understand the correct answer. We provide a written transcript for each lesson, to assist the user in reviewing.

We want our assessments to be semi-challenging. If we provide the correct answers immediately, we weaken the assessment process by making it too easy. We want passage of these assessments to mean something.

If a platform provides the correct answers, as a result, there is a percentage of the population that will click through assessments to harvest all the answers for a specific lesson’s assessment. Brute forcing through the assessment is not a learning strategy. Even worst, I’ve seen places where the correct answers are compiled into a cheat sheet and shared to enable easy passage of security belts.

Conclusion

In conclusion, our focus is on strong and actionable assessments, as we want to help you build a strong security culture.

Share on social media: 

More from the Blog

Application Security and the Zen of Python

The Zen of Python's source code is a string scrambled with Caesar’s cipher returned from a one-line iterator over an ASCII dictionary. Many coding languages today pay homage to it. Let's apply the Zen of Python to application security.

Read Story

How Performance Became the Nemesis of the Secure Python Code

Nothing forecasts the future of a programming language better than the epos of its community. For Python, one word dominates the discussions of the past few years: performance.

Read Story

Why Vulnerability List Methodologies Matter (And why we trust CWE & OWASP)

Application security lists, like the CWE Top 25 and Owasp Top 10, help focus on specific weaknesses or vulnerabilities within your system. But, do you understand their approach to ranking? If not, can you really trust them? Some vulnerability list ranking methodologies bias one aspect of security over another, and some may not work with partially unknown vulnerabilities. 

Read Story

More from the Blog

How Performance Became the Nemesis of the Secure Python Code

Nothing forecasts the future of a programming language better than the epos of its community. For Python, one word dominates the discussions of the past few years: performance.

Read Story

Why Vulnerability List Methodologies Matter (And why we trust CWE & OWASP)

Application security lists, like the CWE Top 25 and Owasp Top 10, help focus on specific weaknesses or vulnerabilities within your system. But, do you understand their approach to ranking? If not, can you really trust them? Some vulnerability list ranking methodologies bias one aspect of security over another, and some may not work with partially unknown vulnerabilities. 

Read Story

Be afraid of the Ruby on Rails Supply Chain

As the complexity of applications increases, so does your reliance on open source and third-party software libraries. With the compounded usage of open source, an expansion of the attack surface is underway. The increased threat is evident in recent high-profile attacks targeting the software supply chain. These types of attacks threaten organizations indirectly by targeting third-party vendors that provide you with software. Can you vouch for the security state of every library in your Rails applications? 

Read Story
Need more information about Security Journey? Get in touch

Ready to start your journey?

Free Demo