The science behind learning is a fascinating field that’s constantly evolving. There is no single, definitive answer to what the most effective learning technique is, and if there was, it would likely vary from person to person. However, there are a number of evidence-based practices proven to be effective. Let’s see if we can take these and apply them to the realm of cyber security.
A well-known and researched area is that of spacing. You’ll often hear that it’s better to do an hour a day than 7 hours on a single day of the week. Obviously, this heavily depends on your schedule so I should also include that studying on a single day, if that’s all you can do, is better than not studying at all. Don’t think that something isn’t achievable just because we are working slightly sub-optimally.
Personally, I am a morning person. When studying I do 2 hours every day before work. It’s nice to get it out of the way early in the day. And then at the weekend, I do some extra but it’s flexible based on what I have going on that week. If you’re more effective in the evening or night, then schedule your sessions accordingly. Work at a time that suits you, but try and keep to a regular time or session where you always turn up.
The key to getting good at everything and anything in life. But to break this down a little further, consistency helps us:
- Improve memory – being consistent helps us reinforce information. This is especially important for complex things that build on such a large amount of foundational knowledge, such as penetration testing.
- Avoids overloading – our brains need time to process and integrate new information. Short cramming sessions produce short-term results, consistent study provides long-term results.
- Motivation – being consistent helps us stay motivated. The importance of having a manageable long-term schedule that is flexible enough to deal with whatever life throws at you cannot be overstated.
Overall, if you only follow one thing from this post, let it be consistency.
Also known as experiential learning. This is a controversial topic within the industry but there’s strong evidence to support that adults learn more effectively when we have active involvement in our learning process and hands-on experiences.
Mostly these activities are things like:
- Simulated assessments (incident response, forensic investigations, CTFs)
- Real-world assessments (we continue learning even while on the job!)
Let’s take a quick moment to clarify that active learning is really about reinforcing information and building skills on top of knowledge. If you don’t already have some knowledge in the first place, then this is not where you want to be. A quick example is if you have no idea how AD works, it would be better to do some study, reading, or follow a course to first build your foundation, and then expand on that with labs and hands-on materials. Diving straight into the deep end can work, and you will learn new things. But it’s not an effective use of your time and your skills will not be as sharp as they could be.
Something that makes or breaks this as an effective learning tool is difficulty. As a general rule, the more your brain has to work, the deeper it will embed information. I’ve always liked to think of it like a muscle. You train it, and it gets stronger.
If something is too easy, it’s likely that you are refreshing a topic or have extensive prior knowledge of related materials. If something is too difficult, it’s likely that you don’t have enough prior knowledge.
Therefore, with difficulty, it’s important to find a sweet spot. When working on hands-on labs and improving our skills, I personally found that this strategy works for me:
If I am trying to learn new things:
For example, let’s say we have no hands-on experience with Active Directory attacks. I would find some recommended labs for beginners in this area, and try to solve them. If I get stuck for 30 mins and have exhausted all my ideas (you can usually tell as you’ll start to try the same things over again), I’ll take a glimpse at a guide to get me moving again. Then I repeat this process. It’s very efficient for learning new topics and building experience quickly.
If I am trying to improve my workflow or deepen my understanding of a familiar topic:
This assumes we are already somewhat familiar with the area, in my case let’s say Web Application Security. I would choose an appropriate target and I would treat it like I would a professional assessment. I would take notes as I go, be thorough, and stick to my methodology.
So the real crux here is that, if you’re spending many hours without making progress, you’re being inefficient. And that might not be a problem for you, everyone’s situation is different. It really depends on how much free time you have, and what you want to get out of your learning.
My advice is to give things a good stab, but don’t ever be afraid to seek advice, help, or read write-ups.
Dealing with information & resource overload
Not so many years back, resources for learning things like penetration testing were few and far between. But as the industry has grown, so has the amount of content available to us. Depending on where you are in your journey will have a big influence on what you focus on. For example, if you’re just starting out, getting the fundamentals down is definitely a priority and something that will pay dividends throughout your entire career.
The following are some key things to remember to help you stay on track and not get lost in the rabbit holes of available content and courses.
- In general, it’s better to focus on a single or small number of grouped topics at once.
- It’s important to prioritize topics relevant to you.
- Use the variety of content to your advantage. For example, mix up video, written, and hands-on content to learn topics, gain exposure to different perspectives, and reinforce your understanding.
I once tried to learn a new programming language, solve web challenges, and progress a certification simultaneously. I made it about a week before taking a month off of studying. Don’t make the same mistakes, it’s easy to say you’re going to do a tonne of study next week, but really, you could work on something right now. Set a simple and achievable goal, and commit to it. Missing a day is no big deal when you’ve been consistent for months or even years.
Finally, a couple of books I would recommend if you want to learn more about the science of learning are:
- Make It Stick: The Science of Successful Learning
- Ultralearning: Master Hard Skills, Outsmart the Competition, and Accelerate Your Career
If you need advice on what to focus on or some accountability for your goals, join us on discord!
Penetration Testing - PCI Compliance - Auditing
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.