Employee Risk Scores FAQs

What is a 'risk factor'?

A risk factor is any behavior or action that can influence the likelihood of an employee becoming a security threat to the organisation. Risk factors are used to assess the potential risk an employee poses and are quantified to calculate an overall risk score.

How are the risk scores calculated?

The risk scores are calculated using the following 3 risk factors:

a. 33.3% - Fusion Course Performance

  • Overall average of course quiz attempts. 
    • Passing quizzes first time will have a positive impact on scores.
    • The more attempts it takes users to pass quizzes, the more this will negatively impact scores.

b. 33.3% - Interactions with phishing simulations

  • Negative impact on risk score, i.e. score increases
    • Phishing simulation clicks/QR Scan
    • Data Entry
  • Positive impact on risk score
    • Report phish via the MetaPhish 'Report' button

c. 33.3% - Engagement

If users have any outstanding Mandatory or Optional content awaiting to be completed, this will also  impact their risk score. 

For more information, please see the following article.

Why can I not assign risk scores to some content?

Risk scores can only be added to content that:

  • is not in an archived state;
  • has 'Make Course Private' selected, i.e. the content needs targets; 
  • does not have 'Anonymous Responses' selected.

Does the risk score calculation include a time limit?

Yes, risk score calculation will only include content that has been targeted to users within the last 12 months. For example, if a user clicked on a phishing simulation 3 years ago, this will not negatively impact their current risk score.

How long does it take for the risk dashboards to update?

A nightly sync runs to update the risk dashboards; therefore, risks will only update on a daily basis. 

Will risk scores work for SCORM transfer courses?

Risk scores are currently not available for SCORM transfer courses.

Will risk scores work for courses that re-occur on an anniversary?

Risk scores currently only work for users who have received the course for the first year. However, subsequent courses for the following years will not be included in the risk score calculation. 

Are risk scores for policies with an attached survey included as a risk factor?

Currently, attached survey scores are not a risk factor that is included in the risk score calculation. However, the policy with an attached survey will be included in the Engagement risk factor. 

Are scores from standalone surveys included as a risk factor?

Currently, attached survey scores are not a risk factor that is included in the risk score calculation. However, it will be included in the Engagement risk factor. 

Why are new joiners appearing with a risk score of 100?

New joiners can appear as with a risk score of 100 if they have not completed any content that has risk scores assigned, have not completed any fusion courses with quizzes and not yet been delivered with a phishing simulation. As the new joiners start to engage with the content and phishing simulations, you will likely see their risk scores drop over time. 

Why are my end users being asked to supply their department upon login?

On login, after enabling risk scores, end users will be asked to select a department that best matches their role; this question is mandatory.

At the moment, we provide a default list of the most popular departments. As this is not customisable, if their related department is not mentioned, users can simply select 'Other'.

This information will then be used to populate the department charts within the Admin Employee Risk and Engagement Dashboard. We also plan to use this information in the future to suggest customised learning content that's related to their department.

Will my end users be able to update their preferred departmental training via the the Teams app or direct access?

No, currently the only method for end users to update their preferred departmental training is via the website end-user home page.

What do the notification icons mean on the end-user home page?

When risk scores have been enabled within Company Edit, end users will receive a brand-new home page. A new feature that we have added to this is notification icons per tile. For example, if an end user has a '4' notification icon for policy, this will mean the user has 4 policies targeted to them and awaiting completion. 

For Privacy Assessment and Privacy Reviews, the notification icons will show how many assessments are in progress or awaiting review.

Back to all articles