The phishing interactions risk scores are a valuable metric that help measure employee interactions with phishing simulations. This score provides insight into how effectively employees engage with the phishing simulations that they have been sent and can contribute to a broader understanding of their overall risk profile.

If users negatively interact with a phishing simulation, it will increase their score. Negative interactions can include:

• Click/QR scan
• Opening attachments
• Data Entry on Form pages (entering username or password)

Not interacting with a phishing simulation will decrease their score. If users report a phish via the MetaPhish Report Button, this will decrease their score even further.

How are the Phishing Interaction Risk Factors calculated?

The phishing interaction risk score is calculated using the following formula:

To break it down:

• Number of Negative Phish Interactions: The total amount of negative phish interaction, e.g. clicking on a phish/QR code scan, opening attachments and entering data into a form.
• Total Phishing Simulations Targeted: The number of phishing simulations users have been targeted with that contribute to the risk score.
• Phish Risk Factor Weight: The proportion of the phishing score that contributes to the total risk score, e.g. phish clicks/QR scan, attachment opens or Form Data entries.

Example:

I have customised the 'Phish Click/ QR Code Scan' to have a 50% weighting on users' overall risk scores.

(For simplicity, we will focus only on the Phish Click/QR Code Scan risk factor, but the same calculation will apply for the Open Attachments and Data Form Entry risk factors if you decide to enable them.)

User 1: Has clicked 3/10 phishing simulations. 

• 3 phish clicked / 10 Target Phishing Simulations = 3 / 10 * Phish Risk Factor weight (50%) = 0.3 * 50 = 15 Phish/QR Scan Risk

User 2: Has clicked 10/10 phishing simulations. 

• 10 phish clicked / 10 Target Phishing Simulations = 10 / 10 * 50 = 1 * 50 = 50 Phish/QR Scan Risk

User 3: Has clicked 0/10 phishing simulations.

• 0 phish clicked / 10 Target Phishing Simulations = 0 / 10 * 50 = 0 * 50 = 0 Phish/QR Scan Risk

Please note: A Risk calculation time period can be set for simulations targeted to users between the last 1-3 years. Phishing simulations will need to have risk scores enabled before they can contribute to the users' risk scores.