Grades and Meeting Standards – Lessons from Teaching Cybersecurity: Week 12
As I had mentioned previously, this year, I’m going back to school. Not to take classes, but to teach a course at my alma mater, Fanshawe College. I did this about a decade ago and thought it was interesting, so I was excited to give it another go. Additionally, after a friend mentioned that their kid wanted to learn Python, I developed an Intro to Python aimed at high school students that I’m teaching weekly. I thought that this would be good fodder for the State of Security. So, whenever I have something interesting to discuss, expect to find it here.
Grades suck. I think this is something that people can universally agree on. Nobody likes them and they serve us in a very limited way. I know I previously said limited information sharing that includes ‘Satisfactory’ or ‘Unsatisfactory’ messaging was useless, and I do believe that, but I also believe that grades are relatively useless. I have always had a love/hate relationship with grades, but as I’m marking my students’ final projects, I’m realizing how much I really dislike grades or, in reality, I hate the power that grading systems hold over us.
The Beginning of the End
Grades and I parted ways in high school. Until that point, I thought they were the greatest thing. They reflected how well I was doing. It was in high school that I realized just how arbitrary grading was and how it could reflect how well I was doing, but it didn’t. My realization occurred in OAC, the 5th year of high school (previously called Grade 13), that we used to have here in Ontario, Canada. My OAC English teacher docked me marks on a written paper because I refused to write ‘he/she’ and instead wrote ‘they’. I argued, rather successfully I felt, that ‘they’ had been used as a singular pronoun in writing for centuries with examples. I was told that ‘they’ had never been and would never be a singular pronoun. These days, I find myself feeling vindicated on the choices I made back in the late 90s, at the time, however, all it did was negatively impact my grade. Similarly, one of my OAC math teachers refused to award full marks because I only provided answers and not complete solutions to the problems. Even after proving at the chalkboard that I was solving them without cheating, I still had marks deducted for doing something correctly.
Meeting Arbitrary Standards
This all makes more sense as you get older and realize that grades aren’t meant to reflect how well you are doing, they’re meant to reflect how well you are doing based on a standard someone else defined. A standard that may or may not make sense.
At the start of the year, I developed a rubric for grading my students’ projects. At the time, the rubric made sense to me… it graded their projects on professionalism, presentation, applicability, information value, and accuracy of the information presented. The rubric has both negatives and positives. It helps to identify the more well-rounded presentations, but it hinders those that may be brilliant and require a bit more polish. That polish is something that many people tend to learn with experience.
As a result, I feel a conflict between “Manager Tyler” and “Professor Tyler” in that I know the grade rankings of my students don’t necessarily indicate what would be my hiring preference. I realize my data set is small, but if I am only able to draw that conclusion due to the additional insight that I have, how can we expect hiring managers to accomplish the same task? I have seen multiple job postings recently that indicate that a transcript must be provided at the time of the first interview for entry level jobs. How much value does that truly add?
Education vs Learning
The other aspect of my teaching this year was a course I developed to introduce Python to high school students, a course I will run again in January as a single day training session. These students will walk away knowing Python, they’ll have learned all about a number of aspects and will have a skill set that acts as a guide should they choose to learn more. They have no formal certification or degree in the subject, but I would argue they know as much as people who have finished a college course in the subject.
These students finished the course and there were no grades assigned. There wasn’t a pass/fail scenario, simply a congratulations on completing the course. They learned something in a relaxed environment without a lot of additional stress and I think it was a much easier learning environment. When you remove grades and let people learn for the sake of learning, I feel like we accomplish more.
Where do we go from here?
I’m not sure what the point was today, other than to suggest that we put too much emphasis on grades. That pass/fail in the back of your mind is definitely stressful. While I’m a fan of having people regurgitate information on command and testing people for their ability to memorize ports, protocols, commands, and other easily searched terms, I’ve learned that I’m in the minority with that opinion. It is, in my mind, 100% true that you are more efficient and more effective at your job if you can recall specific details without having to turn to Google every few minutes. At the same time, you’re not bad at your job if you need to rely on Google, you’re just going to work slower than some of your peers. So, why do we test students? A member of my team just completed his OSCP (Congrats John!) and it’s entirely practical. Are written tests and methods of evaluation that aren’t practical applications still valuable in a world where most people rely on Google? Personally, I still want to say yes, but if I look at the bigger picture, I don’t know that it’s necessarily true.
Would education be better if we moved to a world of pass/fail based on practical, real world applications instead of unrealistic testing and projects? I know that I felt my practical labs and hands on work better reflected my students’ abilities this year than their tests did. Moving forward, could the cybersecurity industry standardize on practical tests and challenges at educational institutions that better reflect the student’s knowledge and understanding? It might be an interesting concept to test.
More Reading
Helping Inspire the Next Generation of Cybersecurity Professionals
Back to School – Lessons From Teaching Cybersecurity: Week 1
Developing Confidence – Lessons From Teaching Cybersecurity: Week 2
Asking Questions – Lessons From Teaching Cybersecurity: Week 3
Problem Solving – Lessons From Teaching Cybersecurity: Week 4
Obfuscation – Lessons from Teaching Cybersecurity: Week 5
Picking the Right Tool – Lessons from Teaching Cybersecurity: Week 6
Feedback Acceptance – Lessons from Teaching Cybersecurity: Week 7
Foundation Building – Lessons from Teaching Cybersecurity: Week 8
Stress and Pressure – Lessons From Teaching Cybersecurity: Week 9
Relationships – Lessons from Teaching Cybersecurity: Week 10