FAQs
General
Please contact the project team.
The following is expected from units who decide to join the project:
- Designate one or several unit administrator(s) who will have delegated access to ORION/CIRA platform.
- Enroll users.
- Attend project weekly meetings (duration may vary from unit to unit)
- Promote SATP within your unit (e.g. during meetings, via internal communications channels, etc.)
- Encourage users to take the training.
The modules are designed to be short (5-10 minutes).
The onboarding workflow takes up to one hour to complete, then curated modules will be provided on a regular basis. As of September 2023, we are aiming to provide a training refresh every quarter for a maximum of two hours of training per year. This approach will be refined further during Phase 2 of the project.
Templates will be made available to units to communicate with their users prior to onboarding.
The U of T Information Security Strategy SharePoint website also provides resources on how to communicate on various strategic initiatives, including the SAT-Foundations Project.
The learning outcomes framework is available in this section.
We are aiming to run phishing simulations at the institutional level on a monthly basis. This approach will be refined and tested further during Phase 2 of the project.
If your unit is participating in this project, your unit administrator can onboard you.
If you are not sure if your unit is participating, feel free to reach out to our project team who will be happy to help you!
Currently, the U of T Report Phishing button works with the latest major versions of both Windows and Mac OS and is supported in the following email clients:
- Outlook 2013 and above (desktop or browser-based)
- Office 365
- Outlook app for iOS (Apple)
- Outlook app for Android
If you’re using a different client, you can still report phishing by forwarding the suspicious email to report.phishing@utoronto.ca. This method ensures the phishing simulation is recorded in CIRA, as indicated by the ‘Reported’ status.
Originally, only appointed staff were to be included in phases one and two. However, in response to feedback and increased interest from the U of T community, unit admins are now encouraged to extend the onboarding efforts to non-appointed staff and librarians during phase two.
Faculty members are scheduled for onboarding in phase three, which will run from April 2024 to March 2025.
SAT platform
A risk score is a numerical value used to gauge cyber risk based on user behavior. It amalgamates factors such as learning performance, exposure to phishing and email security. Higher scores denote higher risk levels.
The score is shaped by four key factors: awareness, exposures, incidents and rewards. User behavior, training, exposure to breaches and positive actions influence the score. Decay periods affect incident and reward impact span over 365 days.
Even if you’ve completed all the training and tests, your risk score is 500 because there are some cyber threats beyond our control. For instance, you might still be vulnerable to sophisticated phishing emails or visit a malicious website that exploits a new security weakness. We can’t prevent all possible risks, like personal information being stolen from third party services. So, despite your efforts, there’s still a small chance of a cyber security issue and that’s why your score isn’t 0 but 500.
Users can improve their risk score by taking specific actions to mitigate risk factors and demonstrate positive behavior. Here are some strategies:
- Engage in training: Actively participate in learning activities, such as completing courses and surveys related to cyber security awareness.
- Reduce exposures: Be vigilant about protecting personal information and minimizing exposure to data breaches. Regularly review and update privacy settings on social media accounts and other online platforms. Promptly address any potential security vulnerabilities, such as compromised email accounts.
- Report incidents: Promptly report suspicious emails using the U of T Report Phishing button or forward the email to report.phishing@utoronto.ca if it’s in a shared mailbox.
- Earn rewards: Successfully identifying and reporting phishing simulations or other security threats can lead to rewards that improve the risk score.
Bookmark the following URL: https://uoft.cyberaware.d-zone.ca/sso.
Technical
Yes. Units have delegated access to the platform. They can onboard their users and assign specific training modules as needed.
Please contact your unit administrator or local help desk.
Not at this time.
As of September 2023, and until the end of Phase 2, our focus is on running phishing simulations at the institutional level to provide a baseline to all participating units and fully test/refine the approach as needed. It is important that we foster an environment of positive learning, as per our guiding principles.
Local phishing simulations will be explored in the long term (after Phase 2) to give units the ability to run phishing simulations and better fit their unique discipline-specific needs.