Introduction

The Employee Risk Score is a key feature that evaluates the overall security risk posed by individual employees. This feature allows customers to customise the risk weighting for each factor that contributes to the overall Employee Risk Score, tailoring the scoring model to match your organisation’s specific security priorities.

In this article, we will explain how to adjust the risk weighting for three key risk factors:

1. Engagement with Content (Uncompleted Content)
2. Average Fusion Course Quiz Attempts
3. Phishing Simulation Interactions (Clicks, QR scans, attachments open, form data entries, etc.)

We will also provide best practices on setting risk factor weights to ensure that the Employee Risk Score reflects the most critical risks to your organisation.

Understanding the Risk Factors

1. Engagement Score (Uncompleted Content): This reflects an employee’s compliance with completing assigned training content. Uncompleted content indicates a lack of engagement, which may affect awareness of security best practices.
2. Average Course Quiz Attempts: This measures the number of attempts employees take to pass Fusion course quizzes. A high number of attempts might suggest difficulty in understanding security concepts, potentially indicating risk to the organisation.
3. Phishing Simulation Interactions: This tracks employee interactions with phishing simulations. Employees who frequently click on phishing links during simulations are considered to pose a significant security risk, as they may be more likely to fall for real-world phishing attacks.

Customising Risk Factors

Each organisation has different priorities when assessing employee risk. This customisation feature allows you to adjust the weighting for each risk factor, determining its impact on the overall Employee Risk Score.

The risk score is calculated out of 100%, and you need to distribute the 100 points across the factors. Here’s how you could customise the risk weighting based on phishing simulations being the dominant risk factor on the score:

• Engagement Score (Uncompleted Content)
  How important is completing assigned content to your organisation? If it’s not as crucial for employees to complete training, policies and surveys, you may want to assign a lower percentage to this factor, meaning employees will not face higher penalties for uncompleted content.
  • Suggested weight: 10%
  • This acknowledges the importance of content completion, while not allowing it to dominate the score.

• Average Course Quiz Attempts
  If understanding the courses is a priority, tracking quiz attempts needs to be considered. Assign a low to medium percentage here if you find that repeated quiz attempts signal potential knowledge gaps. If you do not set passmarks for quizzes, risk factor can be disabled.
  • Suggested weight: 20%
  • This suggests that struggling with quizzes represents a higher risk, while not being the most critical factor that impacts the score.

• Phishing Simulation Interactions (Clicks/QR Scans, Attachment Open, Form Data Entry)
  Phishing is one of the most common attack vectors. Many customers find that negative phishing simulation interactions are the most telling sign of risk. Clicking on phishing links or scanning malicious QR Codes can carry a significant impact. If phishing attacks are your greatest concern compared to course performance and completion of content, then a higher percentage should be set.
  • Suggested weight: 70% (can be distributed across the 3 phish risk factors) 
  • This reflects the high risk posed by phishing and gives it the most influence on the overall Employee Risk Score.

💡Tip: If your phishing simulations do not include attachments or form data entries, or your Fusion quizzes do not have pass marks set, we would advise disabling these risk factors so they do not impact the scoring calculation.

Adjusting Risk Weights to Suit Your Needs

The suggested risk weightings above are only a guideline. Your organisation may have different priorities depending on the industry, threat landscape, or past incidents. For example:

• If phishing is not your top concern, but uncompleted content poses a risk due to regulatory or compliance needs, you can increase the impact of the Engagement Score (Uncompleted Content).
• If knowledge retention is critical, you may want to increase the impact for quiz attempts, making it closer to or equal to phishing simulations.

A flexible approach allows you to create a risk scoring model that aligns with your organisation's security culture.

Best Practices for Customising Employee Risk Score

1. Balance for your industry
   Different industries face different threats. For example, financial institutions might have a low tolerance for phishing due to targeted attacks, while healthcare organisations might emphasise compliance and content engagement due to stringent regulatory requirements.
2. Review historical incidents
   Look at past security incidents in your organisation. Have phishing attempts been the most successful, or is it a lack of understanding in key areas? Let historical data help guide how you customise the scores.
3. Adjust over time
   As your organisation matures in its security posture, regularly reassess your risk weighting. What was important in the past may change as your security awareness evolves.
4. Test & iterate
   Start with a model based on your initial assessment, but review the effectiveness of the risk scores regularly; scores will update nightly. You can adjust weighting if you find that some factors are over- or under-represented.

To adjust the risk factor weightings:

• Navigate to Settings > Company Edit > Risk Score. 
• Assign a custom weight for each risk factor based on your organisation’s needs.

Need Help?

If you have any questions or need guidance on customising risk scores, please contact your Customer Success Manager for assistance.