Updates to Employee Risk Scores

Introduction
The recent customisable risk score feature offers more control over how employee risk is calculated. Risk factors, such as uncompleted content, quiz attempts and phishing simulation interactions, can now be weighted differently based on your organisation’s risk tolerance.

You may notice changes in employee risk scores, especially for new starters or employees who haven’t yet participated in some of the risk factors. This article explains why these changes occur.

Why risk scores have dropped for some employees
Previously, risk scores were based only on the factors employees had engaged with. For example, a new joiner, with uncompleted content but no phishing or quiz activity, was rated as high risk based solely on uncompleted training.

Now, all risk factors are considered - including those employees who haven’t participated with all the risk factors. As a result, users who have not participated in all risk factors will have lower scores, as these factors are now calculated in the overall risk score, even without their participation.

Example Scenario

    • A new starter has just joined the organisation and has several courses outstanding to complete, which would have previously given them a risk score of 100.

    • They have had 0 phishing simulation interactions and 0 course quiz attempts, which was not factored into the overall risk score calculation.

      Old Risk Score:
      100 - based entirely on uncompleted content.

      New Risk Score:
      34 - because the other factors, i.e. average quiz attempts (33) and phishing simulations interactions (33) - are factored into the overall risk score calculation, even if no participation has occurred.

    This change is why employees who previously appeared as high risk (i.e. due to uncompleted content) now have lower risk scores after the release of the risk score customisation feature.


What to Expect

  • New starters or users who have not participated in all factors: Will now have lower scores to ensure they are not penalised solely for only participating in one/two of the risk factors, e.g. uncompleted content.
  • Existing Employees: Minimal changes if they have engaged with all risk factors.

Conclusion
This update offers a more balanced view of risk, particularly for new joiners or users who have not participated in all of the risk factors. For more information on using the risk score customisation feature, please see this article: Guidance for customising Employee Risk Scores

If you have questions or need support, please contact your Customer Success Manager.

Back to all articles