Get instant support with our search!
Employee Risk Scores FAQs
What is a 'risk factor'?
A risk factor is any behavior or action that can influence the likelihood of an employee becoming a security threat to the organisation. Risk factors are used to assess the potential risk an employee poses and are quantified to calculate an overall risk score.
How are 'risk scores' calculated?
Risk scores are calculated using the following 3 risk factors:
a. 33.3% - Fusion Course Performance
- Overall average of course quiz attempts.
- Passing quizzes first time will have a positive impact on scores.
- The more attempts it takes users to pass quizzes, the more this will negatively impact scores.
b. 33.3% - Interactions with phishing simulations
- Negative impact on risk score, i.e. score increases
- Phishing simulation clicks/QR Scan
- Data Entry
- Positive impact on risk score
- Report phish via the MetaPhish 'Report' button
c. 33.3% - Engagement
If users have any outstanding mandatory or optional content awaiting to be completed, this will also impact their risk score.
For more information, please see the following article.
Why can I not assign risk scores to some content?
Risk scores can only be added to content that:
- is not in an archived state;
- has 'Make Course Private' selected, i.e. the content needs targets;
- does not have 'Anonymous Responses' selected.
Does the risk score calculation include a time limit?
Yes, a risk score calculation will only include content that has been targeted to users within the last 12 months. For example, if a user clicked on a phishing simulation 3 years ago, this will not negatively impact their current risk score.
How long does it take for the risk dashboards to update?
A nightly sync runs to update the risk dashboards; therefore, risks will only update on a daily basis.
Please ensure you enable risk scores for relevant published content.
Why are the rolling 12-month charts appearing with no data?
These charts will update with information on a monthly basis. Therefore, for the first month after enabling risk scores, the chart will appear blank. For example, if you enable risk scores in Month 1, you will not see any data until Month 2.
As each month passes, the chart will provide upward or downward trends over the 12-month period.
Will risk scores work for SCORM Transfer courses?
Yes, enabling risk scores is now available for SCORM Transfer courses.
SCORM Transfer courses will require the risk factor setting enabled which can be added during course creation process or in the 'Learning in Progress' table, under the 'Actions' column.
- Please note: To successfully record risk scores for SCORM Transfer courses, the email address of the user undertaking the course on your third-party LMS must directly match their existing email address in MyCompliance.
Will risk scores work for courses that re-occur on an anniversary?
Risk scores currently only work for users who have received the course for the first year. However, subsequent courses for the following years will not be included in the risk score calculation.
Are risk scores for policies with an attached survey included as a risk factor?
Currently, attached survey scores are not a risk factor that is included in the risk score calculation. However, the policy with an attached survey will be included in the Engagement risk factor.
Are scores from standalone surveys included as a risk factor?
Currently, attached survey scores are not a risk factor that is included in the risk score calculation. However, they will be included in the Engagement risk factor.
Why are new joiners appearing with a risk score of 100?
New joiners can appear as with a risk score of 100 if they have not completed any content that has risk scores assigned, have not completed any Fusion courses with quizzes and/or not yet been delivered with a phishing simulation.
As the new joiners start to engage with the content and phishing simulations, you will likely see their risk scores drop over time.
Why are my end users being asked to supply their preferred departmental training upon login?
On login, after enabling risk scores, end users will be asked to select a department that best matches their role. This feature is optional and can be disabled by toggling off 'Show Departmental Training' within Settings > Company Edit.
- At the moment, we provide a default list of the most popular departments. As this is not customisable, if their related department is not mentioned, users can simply select 'Other'.
- This information will then be used to populate the department charts within the Admin Employee Risk and Engagement Dashboard.
- In the future, we also plan to use this information to suggest customised learning content that's related to their department.
Will my end users be able to update their preferred departmental training via the Teams app or Direct Access?
No. Currently, the only method for end users to update their preferred departmental training is via the website end-user home page.
What do the notification icons mean on the end-user home page?
When risk scores have been enabled within Company Edit, end users will receive a brand-new home page. A new feature that we have added to this is notification icons per tile. For example, if an end user has a '4' notification icon for Policy, this will mean the user has 4 policies targeted to them and awaiting completion.
For Privacy Assessment and Privacy Reviews, the notification icons will show how many assessments are in progress or awaiting review.