I’m wrapping up Allen Dulles’ book “The Craft of Intelligence“. The book focuses on the historical context to intelligence agencies however Dulles briefly touched on two methods used in training case officers which resonated with me.
First, he referenced the casebook method. This is used heavily in law school. This method analyzes previous court arguments and rulings to generate dialog, act out, and properly identify and understand the proceedings. Presumably the CIA trainee is given both the various evidence known at the time as well as what actually transpired and how the operator responded. The trainee then analyzes the data to determine if the operator missed a critical piece of data, or otherwise made the best decision. Hindsight 20/20 can be a valuable training tool. Secondly, he quickly summarized live exercises or throwing the trainee into realistic simulations. These can be from various perspectives to learn the underlying motives, responses, and behavior of each side.
Does your team actively leverage these concepts?
Using casebook methodology for junior level staff to review previous incident case data and find weak areas of response, wrong and/or right assumptions, and primarily to discover how the senior level analyst proceeded through his investigation. You do keep historical incident datasets and assessments, right? If not, consider using the Honeynet challenges as ‘casebooks’.
Also, all staff should frequently sit in various exercises including table tops and live drills. I classify these drills into two categories: training drills or preparedness drills. Training drills are best way to experience the emotion, uncertainty, and quick-mindedness needed outside of actual incident. Smaller exercises can focus on preparedness (eg. Does the entire team have contact information for escalation points at the ready? Are their toolsets ready for rapid deployment?).
I see the casebook method and live fires as a superb tool in escalating team members capabilities and discipline. This is different than knowledge transfer, which is what most infosec courses or certifications stress. It’s not a replacement but instead a complement to such courses. What sort of training methods have worked for you?