Best practice approach when enabling Risk Scores

When enabling risk scores, we recommend a controlled roll-out using the phases outlined below.

Phase 1 - Enable the admin dashboard only

On Day 1, enable the admin dashboard within Settings > Company Edit (top-left of the navigation menu). This will provide only administrators with the dashboard.

  • Risk scores will update on a nightly basis; therefore, the risk scores charts will have no data on Day 1.

Preferred Departmental Training: After enabling risk scores, end users can be asked to select a department that best relates to their role. The preferred departmental training charts may take some time to populate depending on when they log in to the platform. This feature can be turned off with Settings > Company Edit > Risk Scores

Phase 2 - Turn on risk scores for your content

You will need to review which courses, phishing simulations, policies and surveys that would have a beneficial impact on the risk score. For example, you may not want optional or test content to be included in the risk score calculation, or content that is out of date/not in scope. The more content that risk scores are enabled for, the more reliable the risk scores will be. 

  • To turn on risk scores, navigate to the Policy, Survey, Course and Phish In Progress tables > 'Actions' column > select the drop-down > select 'Turn On Risk Score'.

  • Please note: The risk score calculation will only include content that has been targeted to users within the last 12 months. Therefore, it's important that you consistently publish content to produce the most accurate risk scores. 

Phase 3 - Analyse & customise the risk scores

Analyse

On Day 2, after the nightly sync runs, risk scores will populate into the dashboard charts. Take some time to analyse these. The more content and phishing simulations you publish, and have risk scores enabled for, the more accurate and reliable the risk scores will be.

For new customers, it will likely take some time for more accurate and reliable scores to be produced, and this will depend on your usage.

Risk Score Customisation

Some organisations prefer to customise the scoring calculation to match their specific security priorities. Please see the following article for more information on customising risk scores: Guidance for customising the Employee Risk Score

Phase 4 (Optional) - Enable the Admin and End User Dashboard

Some organisations may want to be more transparent with their end users by displaying their risk score on their home page. This can have a positive impact on users by increasing engagement; participation can help to improve cyber security hygiene and reduce risk scores over time.

However, there are some key considerations to take into account before enabling the end user dashboard; please refer to the following article for more info on this: Key considerations before enabling Employee Risk Scores

To recap:

  • To begin with, turn on risk scores for the admin dashboard only.
  • Review published content and only enable risk scores for content that will be valuable for calculating a strong risk score.
    • The more content and phishing simulations you publish that have risk scores enabled, the more accurate and reliable the risk scores will be over time.
    • Risk score calculations will only include content that has been targeted to users within the last 12 months.
  • Analyse the results of risk scores and if required customise the scoring calculation to match your risk tolerance for each risk factor.
  • Optional: Enable the 'Admin and End User Dashboard' setting.
    • This will allow end users to see their risk score, providing them with more transparency while also helping to improve their cyber security hygiene. The aim here is to reduce their risk scores over time.
Back to all articles