Practical Cybersecurity, part 4 – Metacognition


A third technique that supports transfer is teaching methods that incorporate metacognition. Metacognition is “thinking about thinking” – understanding the reason behind a concept. For example, we all know that the North Pole is cold. Why is it cold? Because it receives less direct sunlight than the equator. Is the South Pole warm or cold? Well, since the South Pole receives less sunlight than the equator, it too must be cold.

Metacognitive approaches helps students take control of their learning and organize their knowledge. For many of us, history is a boring list of names, dates and events. But one public schoolteacher was determined to change that. Rather than telling the class about the events of the American Revolution, she assigned students the roles of the loyalists and another group the role of the rebels.


The class gathered one day not to recite dates and names, but to debate the merits and detriments of the colonies’ rule by the British. The rebels’ first speaker begins[1]:

England says she keeps troops here for our own protection. On face value, this seems reasonable enough, but there is really no substance to their claims. First of all, who do they think they are protecting us from? The French? Quoting from our friend Mr. Bailey on page 54, ‘By the settlement in Paris in 1763, French power was thrown completely off the continent of North America.’

Clearly not the French then. Maybe they need to protect us from the Spanish? Yet the same war also subdued the Spanish, so they are no real worry either. In fact, the only threat to our order is the Indians . . . but . . . we have a decent militia of our own. . . . So why are they putting troops here? The only possible reason is to keep us in line. With more and more troops coming over, soon every freedom we hold dear will be stripped away. The great irony is that Britain expects us to pay for these vicious troops, these British squelchers of colonial justice.

The loyalists respond:

We moved here, we are paying less taxes than we did for two generations in England, and you complain? Let’s look at why we are being taxed— the main reason is probably because England has a debt of £140,000,000. . . . This sounds a little greedy, I mean what right do they have to take our money simply because they have the power over us.

But did you know that over one-half of their war debt was caused by defending us in the French and Indian War. . . . Taxation without representation isn’t fair. Indeed, it’s tyranny. Yet virtual representation makes this whining of yours an untruth. Every British citizen, whether he had a right to vote or not, is represented in Parliament. Why does this representation not extend to America?

Students then argued amongst themselves regarding the role of paying taxes to the Crown and the benefits they receive. The teacher interrupted the internal debate, and they continued onward, but the point is made – understanding the rationale for both positions strengthens the understanding of the events leading up to the Declaration of Independence. History is no longer names and dates. There is meaning to it. When history comes alive, students retain the information and can transfer names, dates and the rationale behind the American Revolution. The learning sticks.

When it comes to cyber security, we need to take a similar approach. We often give users advice on how not to fall for phishing scams. Your bank will never ask you to log in to their site with your username and password otherwise you will be locked out, or respond back with your username and password in an email. So, don’t do it. But why won’t your bank ever do this?

We must tell users why the bank won’t do this: their employees are never allowed access to their users’ accounts, only bad guys ask for passwords. They don’t lock users out of their accounts because they would lose customers due to bad customer service. And so forth. Users must be made aware of the rationale behind this.

How could we go about teaching users to do this?

We could start by writing training programs that shows what it is like on the other side. Imagine a computer program where the user gets to play the part of the hacker:


As the hacker, you are given a scenario wherein your goal is to figure out a way to trick the user into giving up his username and password. The user then gets points when they succeed in doing nefarious things.

The next level would be that you get to play the part of a bank trying to teach its users to be secure, so what could you do to prevent users from losing their passwords, while still keeping things easy (you know, which is pretty much exactly what cyber experts do in real life). The gamer gets points when they pick actual cyber strategies.

Obviously, this would just be a game, but by seeing what it is like to be on the other side of the computer, users are better prepared for when they themselves are targeted. Thinking about both sides reinforces what people learn and subsequently transfer. By learning how to extract underlying themes and principles from their learning exercises, people learn how to apply that knowledge to new situations.

Part 1 – Introduction
Part 2 – Expertise
Part 3 – Experience
Part 4 – Metacognition
Part 5 – What should we teach?
Part 6 – Bringing it all together 

[1] These excerpts are taken from How People Learn: Brain, Mind, Experience and School; National Academy of Sciences, 2004.

Skip to main content