Guidance for customising Employee Risk Scores

Introduction
The Employee Risk Score is a key feature that evaluates the overall security risk posed by individual employees. This feature allows customers to customise the risk tolerance for each factor that contributes to the overall Employee Risk Score, tailoring the scoring model to match your organisation’s specific security priorities.

In this article, we will explain how to adjust the risk tolerance for three key risk factors:

  • Engagement with Content (Uncompleted Content)
  • Average Fusion Course Quiz Attempts
  • Phishing Simulation Interactions (Clicks/QR scans, attachments open, form data entries etc.)

We will also provide best practices on setting up tolerances to help ensure that the Employee Risk Score reflects the most critical risks to your organisation.


Understanding the Risk Factors

  1. Engagement Score (Uncompleted Content): The engagement score reflects an employee’s compliance with completing assigned training content. If content is left uncompleted, it indicates a lack of engagement, which may affect an employee’s awareness of security best practices.

  2. Average Course Quiz Attempts: This factor measures the number of attempts employees take to pass Fusion course quizzes. A high number of attempts might suggest difficulty in understanding security concepts, potentially indicating a risk to the organisation.

  3. Phishing Simulation Interactions: This factor tracks employee interactions with phishing simulations. Employees who frequently click on phishing links during simulations, are considered to pose a significant security risk, as they may be more likely to fall for real-world phishing attacks.


Customising Risk Factors

Each organisation may have different priorities when assessing employee risk. This customisation feature allows you to adjust the tolerance for each risk factor, determining how much impact each factor will have on the overall Employee Risk Score.

The risk score is calculated out of 100%, and you need to distribute the 100 points across the factors. Here’s how you could customise the risk tolerances based on phishing simulations being the dominant risk factor on the score:

  • Engagement Score (Uncompleted Content)
    How important is completing assigned content to your organisation? If it’s not as crucial for employees to complete training, policies and surveys, you may want to assign a lower percentage this factor, meaning employees will not face higher penalties for uncompleted content.
    • Suggested tolerance: 10/100%
    • This acknowledges the importance of content completion but not letting it dominate the score.
  • Average Course Quiz Attempts
    If understanding the courses is a priority, tracking quiz attempts needs to be considered. Assign a low-medium percentage here if you find that repeated quiz attempts signal potential knowledge gaps. If you do not set passmarks for quizzes, risk factor can be disabled.

    • Suggested tolerance: 20/100%

    • This suggests that struggling with quizzes represents a higher risk but still not the most critical factor that impacts the score.

  • Phishing Simulation Interactions (Clicks/QR Scans, Attachment Open, Form Data Entry)
    Phishing is one of the most common attack vectors. Many customers find that negative phishing simulation interactions are the most telling sign of risk. Clicking on phishing links or scanning malicious QR Codes can carry significant impact. If phishing attacks are your greatest concern compared to course performance and completion of content, then a higher percentage should be set.

    • Suggested tolerance: 70/100% (can be distributed out across the 3 phish risk factors)

    • This reflects the high risk posed by phishing and gives it the most influence on the overall Employee Risk Score.

TIP: If your phishing simulations do not include attachments or form data entries or your fusion quizzes do not have pass marks set, we would advise disabling these risk factors so they do not impact the scoring calculation.


Adjusting risk tolerances to suit your needs

The suggested risk tolerances provided above are only a guideline if you require phishing simulations to have the most dominance on the users score. Your organisation may have different priorities depending on the industry, threat landscape, or past incidents. For example:

  • If phishing is not your top concern, but uncompleted content poses a risk due to regulatory or compliance needs, you can increase the impact of the Engagement Score (Uncompleted Content).
  • If knowledge retention is critical, you may want to increase the impact for quiz attempts, making it closer to or equal to phishing simulations.

A flexible approach allows you to create a risk scoring model that aligns with the security culture of your organisation.


Best practices for customising your Employee Risk Score

  1. Balance for your industry
    Different industries face different threats. For example, financial institutions might have a low tolerance for phishing due to targeted attacks, while healthcare organisations might emphasise compliance and content engagement due to stringent regulatory requirements.

  2. Review historical incidents
    Look at past security incidents in your organisation. Have phishing attempts been the most successful, or is it a lack of understanding in key areas? Let historical data help guide how you customise the scores.

  3. Adjust over time
    As your organisation matures in its security posture, regularly reassess your risk tolerances. What was important in the past may change as your security awareness evolves.

  4. Test & iterate
    Start with a model based on your initial assessment, but review the effectiveness of the risk scores regularly (scores will update nightly). You can adjust tolerances if you find that some factors are over or under-represented.

To adjust the risk tolerances, navigate to Settings > Company Edit > Risk Score, and assign a custom tolerance for each risk factor based on your organisation’s needs.


Need Help?
If you have any questions or need guidance on customising risk scores tolerances, please contact your Customer Success Manager for assistance.

Back to all articles