Overview
The Risk Score is a dynamic, multi-dimensional metric which is representative of an individual's, group's, or account's security risk level. This numerical value ranges from 0 to 100, where a lower score is reflective of lower security risk.
Click from the following to jump to your desired section:
Why Risk Score Matters
Security awareness is no longer simply about training, but the visibility and active mitigation of risk. The Risk Score helps you:
- Identify high-risk individuals before they become the cause of a security incident.
- Track improvement over time as users complete training or adopt higher awareness and habits.
- Prioritize interventions and help personalize coaching.
- Benchmark departments, groups, etc. for better reporting, accountability, and data analytics.
The goal is constructing actionable data from simulation behavior, training engagement, role context, exposure, and security signals, into one number to help you prioritize coaching, remediation, and monitoring.
How Risk Score Works
The Risk Score represents an individual's, group's, or account's security risk, ranging from 0 to 100, based on weighted factor scores and then adjusted by an Impact Modifier (influenced by the role of respective user(s). For instance, a CFO will have a higher Impact Modifier than someone in customer support).
The base risk score for a target that has not been tested and has not been trained is 40. This means that they have not been assigned and completed any training and that they have not been tested. Through regular testing and training with the LMS (School), risk scores should downtrend for targets, groups and accounts.
The Weighted Factors and Decay
Each factor also produces a score from 0 to 100 (where a higher number equates to higher risk). Scores are driven by discrete behavioral or contextual signals called "Findings," which decay over time and expire after 2 years so that the score can improve as behavior improves -- every 90 days, each Finding will decay by 12.5%, meaning that after 2 years, the Finding will no longer impact the respective score.
The Weighted Factors are listed below. If you wish to learn more about a specific factor, click on its name:
- Phishing Simulation (40%) - Measures how users interact with simulated phishing attacks (e.g., clicks, submissions, replies, and reporting).
- Training Engagement (40%) - Measures training completion and timeliness, knowledge decay, engagement with SecurityTips™, Just-in-Time training pages, and Training Campaigns.
- Security Signals (20%) - Flags external indicators such as breach/leak signals, risky email indicators, and security posture signals from integrated tools.
The weighted factor scores are summed into a single likelihood total, then multiplied by an Impact Modifier based on the user(s) job function (department, title, and number of direct reports).
The Formula
The Risk Score is computed in two steps:
- Calculate a weighted likelihood subtotal from the three weighted factors, then
- Apply an Impact Multiplier based on role (and an optional Booster). The clamp will keep the impact multiplier between 0.8 and 1.4.
Risk Score = (0.40 * PS + 0.40 * TS + 0.20 * ES) * clamp(M + B, 0.8, 1.4)
Where:
- PS = Phishing Score,
- TS = Training Score,
- ES = Exposure Risk Score,
- M = Impact Modifier (with the range of 0.8 to 1.4), and
- B = Optional Booster (with the range of -0.2 to 0.2).
What the Final Risk Score Tells You
The following is a table detailing what each range of Risk Score means.
Please note that this is the default breakdown of risk, and this can be configured by navigating to the Risk Score Settings page.
| Score Range | Risk Level | Suggested Action |
| 0 to 20 | Very Low | Maintain and reinforce good habits |
| 21 to 40 | Low | Light coaching, reinforce consistency |
| 41 to 60 | Moderate | Targeted training and/or discussion |
| 61 to 80 | High | Prioritized intervention and monitoring |
| 81 to 100 | Critical | Immediate attention and risk mitigation required |
Examples of Risk Score
Example 1: John — IT Administrator
Profile
- Role: System Administrator (Very High Impact Modifier of 1.3)
- Access: Domain admin, servers, endpoint security console
- Simulation Behavior: Clicked on 2 phishing simulations, submitted credentials once
- Training Engagement: Completed 2 courses recently
- Security Signals: Corporate credentials found on dark web
- Target Booster: High (+0.1)
Score Breakdown
| Component | Raw Value | Weighted Value |
| Phishing Simulation Behavior | 75 | 30 |
| Training Engagement | 60 | 24 |
| Security Signals | 60 | 12 |
By adding the weighed values, we attain John's subtotal: 66, which puts him in the "High" category.
However, we still must take the Impact Factor into consideration. John's Impact Modifier is 1.3, and our Target Booster is 0.1. John's Impact Factor is found by adding the Impact Modifier and Target Booster. So, John's Impact Factor is 1.4.
This Impact Factor is multiplied to John's subtotal of 66, yielding 92.4 as John's final Risk Score, which now puts him into the "Critical" category.
Interpretation of John's Risk Score
John is a very high-risk user with high potential impact. If compromised, his account could enable significant lateral movement or system-wide damage. His behavior raises concerns, but strong tooling and incident reporting could help mitigate risk slightly.
Example 2: Sarah — Chief Financial Officer (CFO)
Profile
- Role: CFO (executive, Very High Impact Modifier of 1.38)
- Access: Financial systems, board comms, vendor payments
- Simulation Behavior: 1 click on 3 campaigns
- Training Engagement: Fully completed 4 courses in the past 90 days
- Security Signals: Multiple public mentions on LinkedIn and press releases
- Target Booster: Normal (0.0)
Score Breakdown
| Component | Raw Value | Weighted Value |
| Phishing Simulation Behavior | 17 | 6.8 |
| Training Engagement | 20 | 8 |
| Security Signals | 30 | 6 |
By adding the weighed values, we attain Sarah's subtotal: 20.8, which puts her in the "Very Low" category.
However, we still must take the Impact Factor into consideration. Sarah's Impact Modifier is 1.38, and the Target Booster is 0. Sarah's Impact Factor is found by adding the Impact Modifier and Target Booster. So, Sarah's Impact Factor is 1.38.
This Impact Factor is multiplied to Sarah's subtotal of 20.8, yielding 28.7 as Sarah's final Risk Score, which now puts her into the "Low" category.
Interpretation of Sarah's Risk Score
Sarah's likelihood of risky behavior is low, but her role has very high potential impact. That keeps her in the "Low" category rather than "Very Low". However, reducing public exposure and continuing training can lower her Risk Score further.