Cybersecurity Awareness Training Strategy, Goals and Objectives

The University of Regina Information Security Strategy was updated in 2021, and contains a strategic pillar of “Improve Information Security Awareness, Training, and Culture.”  This is in response to the rapidly escalating number of cyberattacks targeting individuals within our university community and our instutitional networks and data.  Protecting the information of the institution and all members of the university community is a high priority and a shared responsibility. 

Additional needs to improve training and awareness were identified in the Nov. 2021 Centre for Internet Security (CIS) Critical Controls assessment. Current practises do not completely align with standard security frameworks such as CIS. Additionally, other security frameworks such as, NIST, ISO 27001, COBIT all similarly recommend a comprehensive awareness and training program as part of an organisation’s IT security program.

As such, the goals of the cybersecurity awareness training program include:

  • With the launch of the new security awareness program, a focus will exist on common user security concerns such as password selection, appropriate use of computing resources, and social engineering. The training programs will also target tailored training to specific groups.
  • An important aspect of ensuring compliance with the information security program is the education and awareness of organisational users regarding the importance of and need for information security. The security awareness program will underscore the risks and threats that the University faces, and the role of all users in minimising impacts to the Institution.
  • Employee awareness should start from the point of joining the organisation (e.g., through induction training) and continue regularly.
  • Security awareness programs should consist of training, planned to be administered online which includes quizzes to gauge retention of training concepts; coupled with a regular schedule of refresher training.
  • All employees of the organisation and, where relevant, third-party users must receive appropriate training and regular updates on the importance of security policies, standards and procedures in the organisation.

At a high level, the objectives of the cybersecurity awareness training program seek to align with security strategy, and include:

  • Uniform training across the University’s human resources.
  • Expand training content available to users.
  • Increase user engagement with ongoing interaction with refresher training and phishing simulation.
    Increase end user participation with compliance reporting against targets of enrollment, engagement, and risk scores.