When I started to do the first Threat Modeling workshops as a moderator I was somewhat unsure how it will be perceived by the participants. As we started with an optional approach we definitely only had development teams that had an interest in securing their software or service. However, and I think that is quite natural – at least for me, the exposure to the group which was expecting a good show from me made me somewhat nervous.
In such a situation I tend to try reading between the lines and grab any feedback on how the ‘performance’ is perceived by the audience. I figured out during several workshops that all of a sudden people in the room all went quiet. This made me even more nervous as I assumed that the participants didn’t like the workshop and my moderation. Wouldn’t they engage much more if they were interested? Shouldn’t there be a vital discussion and wild brainstorming instead?
After a while I figured out that the quietness rather might be a very good sign. The participants started thinking about their code and the respective security challenges and threats. In hindsight I would rather say: one objective achieved! Isn’t it exactly – at least partially – what we security guys want to achieve? Development teams think about the security of their product!
Sure, we are not done with that; we need discussions and wild brainstorming too, and participants need to be active. This is all the more true if the security expert and moderator has not been involved previously in design and development of the solution. So you cannot do a workshop if the participants stay quiet all the time. But doing and talking a lot is meaningless if you do not center it on the code and design in scope. As such it is a very good sign if people in the room are quiet and think from time to time.
Achieving the right mix of discussion, brainstorming, and thinking is definitely the job of the moderator. And that is not an easy task. You need to judge the different situations in the workshop and take appropriate measures. Sometimes this might be a quiet period that you let run for a while, sometimes it might be a hefty architecture debate or it might be a situation where you need to explain some security-related topics and show the participants maybe with examples what the problem is. But it also requires that you break the silence if it is enduring or to stop a discussion that is going lost in a dead end. It is clear for me that it is not only about security but also about moderation.
We invested quite a bit of time in preparing and conducting Threat Modeling trainings. I am confident that we reached a good level for teaching content and methodology. Unfortunately we have not figured out a very good approach to teach moderation techniques, and I wonder if we can offer more than some tips and tricks. It might be that moderation skills are a personal trait that is hard to teach.
Do you have ideas how to teach becoming a good moderator? So far you had been relatively quiet (I got no feedback to this blog) – I hope you are still thinking about it.
Author: Oliver Kling