CIRA Security Awareness Training platform

Mount Royal Univeristy delivers its online cybersecurity awareness training through the CIRA Security Awareness Training platform. This training tool offers a variety of interactive courses on various cyber security topics. In addition, it provides you with a risk score to help you determine how prepared you are for a cyberattack. The lower your risk score, the more prepared you are and the less likely you will become a victim. Everyone who is enrolled in the program starts with a “fair” risk score of 805. Completing training and earning rewards brings your risk score down; risky actions increase it. Here’s how it works: 

What increases your risk score?

Incidents

An incident is a “risky behaviour” such as clicking on links in phishing emails and/or entering your login credentials into a fake landing page. They make up 31% to 38% of the risk score.

Exposures

An exposure refers to your MRU login credentials being found in a list of confirmed compromised login credentials by haveibeenpwned.com. If you have been using your MRU email address as a username for non-MRU accounts for awhile, your email will likely have exposures. If you haven’t been using it very much, you may not have any. Exposures make up 4% to 10% of the risk score.

What lowers your risk score?

Awareness training

Taking a course lowers your risk score. How much depends on how soon you completed the course after it was assigned and the score you received. 

Everyone will be assigned required training annually. Those new to MRU will have to complete a more thorough training course. In subsequent years, the required training commitment will not exceed 30 minutes. Those who handle payment card data and/or are high value targets are at a higher risk and will be assigned additional training aligned with their role.

Once you have completed your required training, you can enroll in additional courses. You can choose from a variety of topics and even share the information with others. However, taking a training course will only improve your risk score to a certain limit. After that, taking additional training will no longer have an effect. Cybersecurity awareness training makes up 21% to 28% of the risk score.

Rewards

Initially, rewards will only be issued for reporting phishing training emails. However, in time, rewards will also be given for other cyber safe activities and for engaging in the cybersecurity awareness program.

Who else will see my risk score?

Your risk score is for your use only. No one outside of the IT Security team will see it and it will not be used for disciplinary purposes. However, as with our current phishing training program,  if the IT Security team sees that you are struggling, we may reach out and offer assistance. 

Your risk score is not static.

Although your risk score demonstrates your preparedness to deal with a cyber attack in a transparent, real-time fashion, it is not static. The effects of training, exposures, incidents and rewards degrade over time, ceasing to have any effect at all after a year. To ensure you are always prepared to deal with a cyber attack, check your risk score regularly to ensure it hasn’t gone over the 851 level and become “Poor.”