Publication Date



The cybersecurity threat landscape evolves quickly, continually, and consequentially. This means that the transfer of cybersecurity learning is crucial. We compared how different recognized “cognitive” transfer theories might help explain and synergize three aspects of cybersecurity education. These include teaching and training in diverse settings, assessing learning formatively & summatively, and testing & measuring achievement, proficiency, & readiness. We excluded newer sociocultural theories and their implications for inclusion as we explore those theories elsewhere. We first summarized the history of cybersecurity education and proficiency standards considering transfer theories. We then explored each theory and reviewed the most relevant cybersecurity education research; in some cases, we broadened our search to computing education. We concluded that (a) archaic differential transfer theories are still influential but have negative implications to be avoided, (b) constructionist theories are popular in K-12 settings but raise issues for assessment and transfer, (c) many embrace a general cognitive science perspective that can resolve tensions between modern cognitive-associationist and cognitive-constructivist theories that are popular with innovators, and (d) new perceptual and coordinative theories have potential worth exploring. These insights should support “generative” cybersecurity learning that transfers readily and widely to future classes, tests, and workplaces. These insights should be beneficial when designing and using cyber “ranges” and other hyper-realistic simulations, where transfer assumptions inform costly design decisions and undergird the validity of performance as evidence of proficiency.