We are evaluating a staged release of the training over the Spring 2024 semester. Individuals were randomly selected for the different distribution periods we established. All students, faculty, and staff will receive the training notification by the end of the semester.

If you did not receive the notification, but choose to complete the training now, your progress will be recorded, and you will not receive a future notification.

The training content was updated in February 2024 with the latest insights to threats facing University members and the institution itself. Completion of the training with the latest content is required.

There are several factors that have informed the University's decision to require this of all students and employees. The following list provides a few of the most important factors.

• Cybersecurity awareness training is required under regulation that applies to the University.¹
• Cybersecurity awareness training is a core function of any cybersecurity program. The lack of such training is recognized as a significant weakness by Illinois Office of the Auditor General (OAG).²
• Cybersecurity awareness training is effective at addressing the human element seen in 74% of data breaches.³
• Cybersecurity awareness training has become a factor in obtaining, using, and maintaining cybersecurity insurance.⁴
• Cybersecurity awareness training is required for universities and researchers receiving federally funded awards.⁵

Beyond this, the University handles a large amount of data that is highly sensitive or confidential. The accounts each student and employee has grants them access to the network and systems that store this data. Compromise of these accounts poses a great risk to the institution as well as all individuals it has data about. This training is one piece of a larger puzzle to keep this data secure.

<sup>1. Primary examples of applicable regulation requiring such training: Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), General Data Privacy Regulation (GDPR).
2. Illinois Office of the Auditor General's 2021 Illinois Audit Advisory.
3. Verizon's 2023 Data Breach Investigations Report.
4. EDUCAUSE's FAQ about Cyber Insurance.
5. National Security Presidential Memorandum 33 (NSPM-33) Implementation Guide.</sup>

On average, the training is completed within 21 minutes. However, that time can be skewed by individuals that pause and restart training on a later date. The median time of completions in 2024 is currently 11 minutes.

This training is only required for currently active students, faculty, and staff. If you are no longer active, you can disregard the notification emails. You may notify us at informationsecurity@ilstu.edu if you want to stop the current campaign's reminder emails.

The Information Security Office conducts periodic campaigns to provide notice to students and employees about completing this training. Failure to respond and complete the training can result in restricted access to University technology resources.

Continued noncompliance will be considered as a possible violation of the 9.2 Policy on Appropriate Use of Information Technology Resources and Systems (Appropriate Use Policy). Refer to the 9.2.1 Procedures for Appropriate Use Violations for more information.

Even if technology is not regularly used in your role with the University, the training must be completed.

Employees and students receive an account to access campus technology and services. That account must be well protected by the individual that it is assigned to. This training has been developed to specifically enable individuals to fulfill that requirement.

We are continuing to evaluate training completion results and survey feedback to determine the most appropriate time to distribute this training. If we decide to incorporate this training into the October training series, we will consider excluding those that have completed the latest version within the preceding 12 months.