Overview
The PhishingBox Risk Score is designed to provide organizations with a measurable view of user risk based on security awareness behavior, phishing simulation performance, and security-related activity.
Click from the following to jump to a desired section:
- Understanding Risk Score Calculations and Best Practices
- How the Risk Score is Calculated
- Why Training and Phishing Risk are Weighted Equally
- Use Multiple Tests to Establish Accuracy
- Why Security Signals Carry Less Weight
- Understanding the Goal of Risk Scoring
Understanding Risk Score Calculations and Best Practices
Rather than relying on a single event or isolated failure, the Risk Score is intended to reflect patterns over time and provide administrators with actionable insight into where additional education or reinforcement may be needed.
How the Risk Score Is Calculated
The overall Risk Score is made up of three core categories:
| Category | Weight |
|---|---|
| Training Risk | 40% |
| Phishing Risk | 40% |
| Security Signals | 20% |
These categories are weighted intentionally based on how directly they reflect user behavior inside the PhishingBox platform.
Why Training and Phishing Risk Are Weighted Equally
Training completion and phishing simulation performance are both weighted at 40% because they are equally important indicators of security awareness maturity.
Training Risk
Training Risk measures whether users are actively completing assigned education and awareness content.
Users who consistently complete training demonstrate engagement with organizational security initiatives and generally improve over time when exposed to repeated education.
Why Untrained Users Begin With Elevated Risk
A target who has not completed any training begins with the maximum Training Risk score of 40.
This does not mean the user is unsafe or negligent. Instead, it reflects that the platform has not yet received any evidence of security awareness training completion.
Once a user completes their first course or receives and completes Just-in-Time Training, their Training Risk can begin decreasing accordingly.
This approach ensures that users without training exposure are treated as higher risk until measurable awareness activity exists.
Phishing Risk
Phishing Risk measures how users perform during phishing simulations over time.
This category evaluates actions such as:
- Clicking phishing links
- Opening malicious attachments
- Submitting credentials
- Reporting phishing emails
- Successfully identifying simulations
The phishing component is intended to measure behavioral response patterns rather than isolated mistakes.
High Initial Phishing Scores Are Normal
It is common for users to receive a high Phishing Risk score after failing their first phishing simulation.
This is expected behavior and should not immediately be interpreted as chronic risk or employee negligence.
Security awareness improvement is best measured over multiple simulations, not a single event.
As users continue participating in phishing campaigns and awareness initiatives, their score should naturally improve through consistent successful behavior. A first failure often represents:
- Baseline awareness measurement
- Lack of prior training exposure
- Initial unfamiliarity with phishing indicators
- Organizational starting point metrics
One failed test does not provide enough behavioral data to accurately assess long-term phishing susceptibility.
Use Multiple Tests to Establish Accuracy
A more accurate Phishing Risk profile generally requires multiple phishing events over time.
We recommend evaluating users after at least:
- A second phishing simulation
- Preferably a third simulation for trend confirmation
This provides significantly better insight into:
- Behavioral consistency
- Improvement trends
- Training effectiveness
- Long-term phishing susceptibility
Organizations should focus on patterns and improvement over time rather than isolated failures.
Why Security Signals Carry Less Weight
Security Signals contribute 20% of the total Risk Score because they originate outside the direct test-and-train loop managed by the PhishingBox platform.
Examples may include:
- External security telemetry
- Third-party integrations
- Endpoint or identity events
- Supplemental behavioral indicators
While these signals can provide valuable context, they are not always directly tied to measurable user awareness performance inside the platform.
For this reason, Security Signals are treated as supporting indicators rather than primary drivers of risk.
Understanding the Goal of Risk Scoring
The purpose of the Risk Score is to help organizations:
- Identify users who may need additional training
- Measure awareness progress over time
- Reinforce positive security behavior
- Improve organizational resilience
The Risk Score should be viewed as a coaching and awareness tool rather than a punitive metric.
Organizations that focus on education, repetition, and long-term trend analysis typically see the greatest improvement in overall security awareness outcomes.