Recommended Roll-Out for Enabling Risk Scores

When enabling risk scores, we recommend a controlled roll-out using the phases outlined below.

Phase 1 - Enable the Admin Dashboard Only

• On Day 1, enable the admin dashboard by navigating to Settings > Company Edit (located in the upper-left of the navigation menu). This will make the dashboard only visible to administrators.
• Risk scores update nightly, so the risk score charts will not contain data on Day 1.

Preferred Departmental Training

After enabling risk scores, end users can be prompted to select the department most relevant to their role. The preferred departmental training charts may take time to populate, depending on when users log in to the platform. This feature can be turned off with Settings > Company Edit > Risk Scores. 

Phase 2 - Enable Risk Scores for Your Content

Review your existing content (courses, phishing simulations, policies and surveys) to determine which would have a beneficial impact on the risk score. For example, you may not want optional or test content to be included in the risk score calculation, or content that is out of date/not in scope. The more content in which risk scores are enabled, the more reliable the risk scores will be. 

To enable risk scores for content:

• Navigate to the Policy, Survey, Course or Phish In Progress tables.
• In the 'Actions' column, select the drop-down > click 'Turn On Risk Score'.

• Note: Risk score calculations only include content targeted to users within the last 12 months. Therefore, it's important that you consistently publish content to produce the most accurate risk scores. 

Phase 3 - Analyse & Customise Risk Scores

Analyse

On Day 2, after the nightly sync runs, risk scores will begin populating in the dashboard charts.

Take some time to analyse these. The more content and phishing simulations you publish that have risk scores enabled, the more accurate and reliable the results will be.

For new customers, it may take some time for scores to become more accurate and reliable, depending on platform usage.

Risk Score Customisation

Some organisations prefer to tailor the scoring calculation to align with their specific security priorities. Refer to the following article for more information on customising risk scores: Guidance for customising the Employee Risk Score.

Phase 4 (Optional) - Enable the Admin and End User Dashboard

For greater transparency, some organisations choose to display risk scores to end users on their home page. This can have a positive impact on users by increasing engagement, helping to improve cyber security hygiene and reducing risk scores over time.

However, there are some key considerations to consider before enabling the end user dashboard. Refer to the following article for more info on this: Key considerations before enabling Employee Risk Scores.

Summary

• Begin by enabling risk scores for the admin dashboard only.
• Review published content and only enable risk scores for content that will be valuable for calculating a strong risk score.
  • The more content and phishing simulations you publish that have risk scores enabled, the more accurate and reliable the risk scores will be over time.
  • Risk score calculations only include content targeted to users within the last 12 months.
• Analyse the results of risk scores and customise the scoring calculation if needed to reflect your organisation's risk tolerance for each risk factor.
• Optional: Enable the 'Admin and End User Dashboard'. This will allow end users to see their risk score, providing them with more transparency while also helping to improve their cyber security hygiene. The aim here is to reduce their risk scores over time.