The foundations of effective training: the theory of cognitive load

eLearning Expert Talks/Security Awareness
31 July 2023
La teoria del carico cognitivo

Second appointment with Maurizio Zacchi (here is the first interview), director of the Cyber Guru Cyber Academy.

“The strength of effective corporate training on cybersecurity” – explains Maurizio Zacchi, Academy Director of Cyber Guru – “is to generate substantial and permanent changes in the behaviour of employees, considering that it is precisely the human factor that is the vulnerability through which cybercrime manages to break down protective barriers”.

More so than worrying about the contents of what is taught, it is important to check the level of learning, and therefore to understand if the teaching will actually arrive, and in the right way, at its destination. That is, if it will generate substantial and permanent changes in behaviour. What matters, therefore, is how effective the teaching method is and that it ensures that the teaching subject matter will be consolidated in the habits of the “learners”, becoming an integral part of the digital posture of each individual”.

To achieve this, relying on the most innovative learning theories is necessary. Among these is undoubtedly that of “cognitive load“, developed at the end of the 1980s by John Sweller, which reconstructs the way we learn, highlighting the importance of aligning learning with human cognitive architecture. Cognitive load refers to the effort used in working memory that is related to the amount of information that the working memory can store at the same time. In fact, working memory has a limited capacity, educational methods must avoid overloading it with activities that do not directly and effectively contribute to learning.

Our mental space is like a computer’s memory: if it is too full, it freezes.

“First of all” – explains Zacchi – “we must take into account that computer security training is aimed at adults who already lead daily lives that are overloaded with mental commitments, and thus risk finding themselves with little energy and availability to devote to training”.

According to the theory of cognitive load, in fact, everything happens inside a container that is our “working memory”. It’s a bit like computer memory: if we overload it, the device will crash. Our brains work a little bit in the same way. For this reason, it is necessary to take into account the availability of “memory” that can be used to transmit new concepts. Filling an already-full container does not offer any benefit.

“Working memory” – continues Zacchi – “must be continuously related to long-term memory, a relationship that good training must be able to manage in the most efficient way. To do this, we need to know what elements weigh on the memory of those who have to undertake the learning process and what needs to be done to optimise the entire learning process”.

The right training is short and focused

Effective training is therefore divided into many small parts (microlearning) and focused from time to time on a single topic (self-contained modules). This is because the brain learns more if it is not overloaded and if it can concentrate on a single focus.

So, it is much better to have many small lessons of a few minutes each, spread over a year rather than eight hours in a row on a one-off occasion.

“A training” – says Zacchi – “that is focused on the short term may seem easier to organise, compared to a training programme spread over the long term, as part of a permanent training approach. But the results are radically different. In the first option, in most cases, the information will be lost and forgotten, in the second it will be transformed into a behavioural approach that will have tangible repercussions on corporate security”.


Articoli correlati

Digital Operational Resilience Act (DORA)

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and...

read more