CISO's perspective from the frontlines

Cybersecurity Literacy in the Age of AI (Part 2)

C

How Humans Learn, How Machines Don’t, and What That Means for the Next Generation of Practitioners

In Part 1 of this series, we traced how AI in cybersecurity went from an academic curiosity to a marketing buzzword, and finally to something genuinely new with the arrival of Large Language Models (LLMs) and the need for developing AI Literacy. But there’s a bigger question underneath all of that—one that doesn’t get asked nearly enough: how do humans actually learn to do this job well, and what happens to that process when AI starts doing the thinking for us?

This isn’t an abstract question. It’s the exact question that will determine whether the next generation of security practitioners is more capable than the last, or quietly less capable while feeling far more productive.

How Humans Actually Learn

Learning isn’t something that happens simply by absorbing information. It happens by doing something, watching what happens, and adjusting. Cognitive science calls this Experiential Learning, and it has been studied for decades because it is the most reliable way people acquire deep, practical skills.

Experiential learning shifts the focus from passive listening to active participation through a continuous, four-stage cycle: doing, reflecting, conceptualizing, and applying what you learn to new situations. Developed by educational theorist David Kolb, this iterative model outlines how learners turn a raw event into lasting knowledge.

As shown in the cycle above, true mastery requires moving through all four phases:

  • Concrete Experience: Engaging in a new, hands-on experience or executing a practical task.
  • Reflective Observation: Stepping back to review, analyze, and reflect on what happened during that experience.
  • Abstract Conceptualization: Drawing conclusions, connecting the experience to existing theories, and generating new ideas based on your reflections.
  • Active Experimentation: Testing these new theories and knowledge in practical, real-world situations—which naturally leads back to new experiences.
Robot and man conversing inside a circular color wheel/infographic labeled 'Thinking' at the bottom, illustrating human–AI collaboration.

the advantages of Experiential Learning

By moving through this loop, practitioners gain significant cognitive advantages:

  • Stronger Knowledge Retention: People remember concepts, facts, and procedures much more clearly when they have actively applied them, compared to mechanical or habitual memorization.
  • Skill Application: It builds practical, highly transferable professional skills such as critical thinking, adaptive problem-solving, and decisive decision-making.
  • Continuous Growth: By focusing as much on the process of learning as the final product, learners are better equipped to adapt when unexpected challenges inevitably arise.

There’s a specific mechanism worth understanding here, especially in the context of cybersecurity, because it explains why hands-on keyboard work is completely irreplaceable:

Theory tells you what should happen. Practice tells you what actually happens—and the gap between those two things is where real understanding lives.

You can read every textbook explanation of how a buffer overflow works, but the moment you actually cause one, watch a program crash, and figure out how to patch it, something clicks that reading could never provide. That’s how skill acquisition works across nearly every high-consequence technical discipline, from surgery to commercial aviation to security research.

Failure Isn’t Optional

Failure is a critical part of the learning process, but here’s something that surprises people: humans don’t actually learn as cleanly from raw failure as we like to believe.

Research by psychologists Lauren Eskreis-Winkler and Ayelet Fishbach found that failure feedback often causes people to mentally “tune out” from a task rather than absorb the lesson. Why? Because failure feels ego-threatening in a way success doesn’t.

While that sounds like it undermines the whole “failure is a teacher” philosophy, the researchers’ more interesting finding is what happens next: when people are given a chance to keep working on the problem after failing, rather than just being told they got it wrong and moving on, failure actually produces better long-term learning than success does.

A single failed attempt with no follow-through teaches you very little. A failed attempt followed by another attempt, and another, is where the real cognitive signal is. This is exactly why trial and error—not passive study—has always been the backbone of technical skill-building. You try something, it doesn’t work, you figure out why, and you try again with better information.

The Quiet Cost of Never Failing

If failure is where durable learning happens, then removing failure from someone’s early experience doesn’t make them better—it makes them brittle.

Think about a junior analyst who is handed an AI tool that resolves every alert correctly before they ever have to reason through the data themselves. They’ll look incredibly productive. They’ll close tickets fast, and their metrics will look great. But they will never build the internal model of “why is this suspicious” that allows them to handle the edge case the tool gets wrong—or worse, the sophisticated attack the tool doesn’t even flag.

The absence of failure isn’t a gift; it’s a deficit. This matters more in cybersecurity than in almost any other technical field because the adversary is an intelligent human who is actively trying to create the exact situations your automated training tools didn’t cover.

The Ability AI Doesn’t Have: Imagining What Didn’t Happen

Here is where humans possess a genuinely unique capability, and it’s worth being precise about it. Humans can engage in counterfactual thinking: the ability to mentally simulate an alternative version of events that never actually happened.

  • “What if I had checked that secondary log before responding?”
  • “What if the attacker had pivoted through the domain controller instead?”
  • “What would have happened if we had isolated that system a week earlier?”

Counterfactual reasoning is central to how humans learn from experience, assign responsibility, plan for future threats, and improve decision-making under intense uncertainty. It’s how a security analyst reviews a missed detection and reconstructs not just what happened, but what should have happened, and what needs to change to achieve that outcome next time.

Large Language Models, for all their genuine capability, do not do this. They generate outputs based on statistical patterns learned from training data. They can describe a counterfactual scenario if you explicitly ask them to write a fictional one, but they aren’t running an internal simulation of “what if things had gone differently” when reflecting on a failed incident response.

This is a structural limitation of how these models work, not something a bigger model or more training data straightforwardly fixes. True counterfactual reasoning requires an understanding of underlying cause-and-effect relationships rather than just statistical correlations.

Learning Cybersecurity Is Different

If you ask ten experienced security practitioners how they got into the field, you’ll likely get ten entirely different answers. That’s not an accident. Cybersecurity doesn’t have a single, standardized entry path the way accounting, nursing, or civil engineering does.

People arrive from IT systems administration, network engineering, software development, internal audit, risk management, compliance, law enforcement, and the grassroots hacker communities that were poking at systems long before “cybersecurity” was a formal corporate job title.

That diversity isn’t a bug; it’s a structural feature of the field because cybersecurity itself is profoundly multi-disciplinary. Understanding a major breach might require technical knowledge of how a network segment was configured, legal knowledge of breach notification obligations, risk management knowledge of what the exposure actually costs the business, and the communication skills to explain all of that to a board of directors that doesn’t speak technical jargon.

No single educational path prepares someone for all of that. People build that massive range of competence over years by moving laterally through the field and running into problems that force them to learn something entirely new.

The Hacker Mindset

It’s worth pausing on one of those entry paths specifically, because it gets misunderstood constantly: the hacker mindset.

Strip away the Hollywood imagery of dark hoodies, glowing green code, and high-caffeine drinks, and what you actually find is a very specific kind of curiosity: an intense desire to understand how a system truly works (not just how its documentation says it works) and a obligation to find out where its boundaries actually live.

A hacker-minded practitioner doesn’t encounter a locked door and simply accept that it’s locked. They wonder how the lock mechanism works, what specific attacks it was designed to resist, and whether it actually resists those attacks in practice.

This instinct built the foundation of modern computing. Open-source software, cryptographic research, and responsible vulnerability disclosure all trace back to the same core habit: pushing a system beyond what it was designed to do, just to see what happens.

That instinct isn’t inherently malicious. It’s the same drive that causes a mechanic to take an engine apart just to understand its timing, or a kid to figure out exactly how far a rule can be bent before it snaps. In defensive security, this mindset is exactly what allows a practitioner to look at a new software architecture and ask, “How could someone abuse this feature?” during the design phase, instead of finding out the answer during a catastrophic incident.

That instinct to test, probe, and question is exactly the analytical muscle we must protect in the age of AI.

The GPS Problem: A Story About Losing Confidence, Not Just Skill

Let’s look at a modern analogy that almost everyone has lived through firsthand.

Before GPS navigation apps existed, getting somewhere unfamiliar took actual cognitive effort. You would study a physical map beforehand, memorize a sequence of turns, ask someone for directions, mentally rehearse the route, or simply set out and course-correct as you drove. Sometimes you got lost. But you built something invaluable in the process: an internal mental model of your city, a strong spatial sense of direction, and a real, earned confidence that you were the kind of person who could figure out how to get somewhere, even without a safety net.

Then GPS apps arrived. Eventually, they got good enough to fold in live traffic data and reroute you dynamically in real time. As a result, millions of people became entirely dependent on them.

The consequence? People lost not just the skill of navigating, but the confidence that they could navigate. Ask most drivers today what happens if their phone dies or their app glitches in an unfamiliar territory, and the honest answer isn’t “I’ll figure it out.” It’s a flash of genuine anxiety.

That is the real cost of over-automation: not just the loss of a skill you rarely use, but the gradual erosion of the self-trust that used to come from knowing you could handle an unexpected situation yourself. This is exactly the pattern we need to watch out for in cybersecurity as AI tools take on more of our daily analytical load.

Will Security Practitioners Lose Their Skills?

This is the question the GPS story is really pointing at, and it deserves a direct answer rather than a hedge: it depends entirely on how the tools get used, not on whether they get used.

The cognitive research on this is clear. A 2024 study examined how AI assistance can accelerate skill decay among seasoned experts and, more concerning, significantly hinder skill acquisition in people who are still developing expertise in the first place.

That second part matters enormously for cybersecurity, where a massive share of the global workforce is still early in that multi-disciplinary journey. If a junior analyst never has to reason through why an alert is suspicious because the AI has already provided the verdict, they don’t just skip a tedious step—they skip the exact cognitive processing that builds professional judgment.

This connects directly to a well-documented psychological phenomenon called automation bias: the systematic tendency to over-rely on automated systems and under-scrutinize their output, even when that output is completely wrong.

Automation bias has been studied for decades in high-stakes fields like commercial aviation and radiology. One particularly critical finding is that humans struggling with automation bias find it incredibly difficult to recalibrate their trust, even when the automated system’s performance takes a turn for the worse.

Translate that into a Security Operations Center (SOC): an analyst who is used to an AI triage tool being right 95% of the time has no reliable internal alarm for the 5% of the time it is confidently wrong—precisely because they’ve stopped practicing the underlying analytical reasoning that would allow them to catch the mistake.

Our skills won’t automatically vanish, but they will atrophy in the exact population that can least afford it, unless leaders and practitioners are highly deliberate about preventing it.

Why Analytical Learning Is Not Optional

It’s worth stating plainly why this matters so much specifically in cybersecurity, as opposed to fields where AI assistance is purely additive: adversaries adapt.

Attackers do not run the exact same playbook twice if it fails. Instead, they actively probe for the exact blind spots that come from atrophied human judgment. A field where the threat matrix itself is intelligent, malicious, and adaptive cannot afford a workforce that has lost the ability to reason from first principles when an AI-generated answer doesn’t fit the anomalous situation in front of them.

Cybersecurity has never been a “learn it once” profession. The multi-disciplinary nature of the field means practitioners are constantly encountering entirely unfamiliar territory. That has always required a comfort with the unknown, and a fierce willingness to dig in and figure it out. That intellectual comfort is precisely the muscle that automation bias quietly erodes.

How to Use AI Without Turning It Into a Black Box

The goal isn’t to reject AI tools—it was never realistic or practical to think we could. The goal is to develop a highly specific kind of intellectual partnership, one that looks meaningfully different from how most people currently interact with consumer LLMs.

Here are five principles that actually hold up in production environments:

  1. Treat AI output as a hypothesis, not a verdict. Always ask “why does the model think this?” rather than just “what does the model say?” Build the explicit habit of checking its analytical reasoning against your own before taking action.
  2. Do the reasoning yourself first, at least sometimes. Preserve the cognitive “rep.” If you outsource the foundational thinking every single time, you will never build the pattern recognition required to catch the model when it hallucinates or misses a subtle indicator of compromise.
  3. Actively seek out and study the cases where the AI is wrong. Those are your highest-value learning moments, precisely because they are rare and because automation bias makes them incredibly easy to miss if you aren’t actively hunting for them.
  4. Use AI to extend your reach, not to avoid learning. An analyst using an LLM to quickly get up to speed on network protocols they don’t know well is building fluency. An analyst using an LLM to avoid ever having to learn those protocols is building a dangerous dependency.
  5. Preserve deliberate practice environments. Maintain hands-on labs, Capture The Flag (CTF) competitions, and red team exercises where failure carries no real-world business cost and is allowed to happen naturally without an AI safety net. This is where the trial-and-error muscle gets built and kept in shape.

What an Effective Human-AI Partnership Actually Looks Like

The right mental model for the future of our workforce isn’t “AI does the easy stuff and I do the hard stuff.” It is much closer to a seasoned pilot’s relationship with a modern flight management system.

The automation handles massive scale and consistent execution—tirelessly correlating millions of raw logs, parsing text, or drafting a first-pass incident timeline. Meanwhile, the human retains absolute ownership of executive judgment, high-level context, and the counterfactual reasoning the machine structurally cannot perform.

There is a legendary 1997 video of a lecture by American Airlines Captain Warren Vanderburgh titled “Children of Magenta Line.” In it, he warned the aviation industry that advanced automation had made pilots far too dependent on simply monitoring the automated lines on their screens rather than actively flying the aircraft. Decades later, his warning remains incredibly relevant to the cybersecurity profession.

That partnership only stays healthy if the human side keeps exercising its half of the equation. GPS didn’t make people inherently worse at moving through the world; it made people who stopped building a mental map worse at moving through the world without a phone in their hand.

The tool isn’t the problem. Unquestioning reliance on it, without maintaining the underlying skills it is supposed to support, is the real threat vector.

Where This Leaves Us

Cybersecurity practitioners came to this field through wildly different doors—IT, networking, software development, audit, law, and hacking—and built their competence the exact same way humans build any complex skill: by trying, failing, reasoning through what went wrong, and trying again with better visibility.

AI can massively accelerate parts of that timeline, but it cannot perform the counterfactual reasoning that turns a raw incident into professional wisdom, and it cannot build a practitioner’s core judgment for them.

The practitioners who thrive over the next decade won’t be the ones who use AI the most. They’ll be the ones who use AI masterfully while actively protecting their own ability to think without it.

In Part 3, we’ll get into exactly what that looks like in practice: specific habits, engineering workflows, and organizational training approaches that build genuine AI fluency without letting our underlying technical skills quietly erode.

About the author

yaron

Yaron is a seasoned multi-industry Cyber Security Leader. He is 2x CISO, Research Fellow for the Cloud Security Alliance, Security Tinkerer, Advisory Board Member for several cyber security startups and venture firms, and a Mentor to other CISOs and members of the security community.

By yaron
CISO's perspective from the frontlines

Topics

Follow me

Get in touch

Do you want to get in touch? have a question? want me to speak at your event? need advice? please use the form below. No sales messages please!