Employee FAQ's

Common questions your employees may have about CultureAI

It's likely your employees will have questions about CultureAI, in this guide, we'll go over the common questions, and how to answer them.

You can use this guide as a template for your introduction and roll-out emails, or a reference point for any questions you're asked.

General Questions

What is this CultureAI thing?

  • You could give a simple explanation of what CultureAI is at its core: "CultureAI is a human risk management platform, here to help us improve our security behaviours by surfacing risks, and giving us the data we need to get better." While the platform has many moving parts, over-explaining or long paragraphs can over-complicate initial introductions. We've seen a more positive reception from employees when CultureAI is explained in a couple of sentences. 

Why are we using this?

  • This question will always be personal to your company. We recommend putting your employees at the heart of the reasons. CultureAI is a human-firsthuman-driven risk management platform.
    "Being Cyber Secure is difficult, new risks pop up every day and it's hard to keep up to date with what you should be looking out for next. We want to make being security aware easy and natural. CultureAI will help us to surface and manage risks and give you the power to understand your own personal cyber security."
    If you've had any data breaches or security incidents, you can include these in your reasons for using CultureAI to give context behind what drove the decision to use CultureAI.

Privacy Related Questions

Is CultureAI tracking everything I'm doing?

  • No, it's not.
    CultureAI is monitoring how employees interact with business related software's, not their day to day work flow.
    Wording is important when talking about monitoring systems. "Monitoring" can often be linked to "Tracking" as they can seem like the same thing. Tracking has negative connotations, employees may feel like you're looking at everything they're doing and picking out things that you don't like.
    This isn't the case, CultureAI is looking out for specific security actions, it won't produce a full list of everything an employee has done on their laptop or computer that day. 
    Everything that CultureAI flags up will be visible to employees as well.
    "CultureAI is monitoring for security behaviours, positive and negative. We're not looking at everything you do. It's not going to tell us that you were ten minutes late logging in, or that you were looking at cat pictures in-between meetings.
    It will tell us, for example, if you logged into a website with your password and email, that you're supposed to use SSO for, or if a password you used was a weak one."

 

Will CultureAI tell you everything I'm doing on my browser?
  • No, it won't. 
    CultureAI will only look at activity related to your employees work email, not their personal one.
    It's important for employees to understand that their work email should only be used for work related things. 
    "CultureAI will only show us activity from your work email. Keeping your work email secure is vital to preventing breaches and data loss. You shouldn't use your work email anywhere besides work related apps.
    The more websites you sign up for using your work email, the higher the chances of that email being part of a data breach are.
    We won't know if you logged into your personal Netflix account on your work laptop, but we will know if you used your work email to sign up to Twitter."


Usage Questions

How do I use CultureAI?

  • Your employees will interact CultureAI via the Security Centre.
    We have a guide here about the Security Centre that you can use to explain to your employees how to use it.
    It's a good idea to include a guide to using the Security Centre in your roll-out communications.

My score is really low! Why is that?

  • When employees log into their Security Centre, they will be able to see their security score on the homepage.
    You should first direct your employees to look at the Risks tab in their security centre. This will provide visibility of all the events that have impacted their score. Ask them to review the red events, and look to improve behaviour in those areas. As their behaviour improves, so will their score.

 

I don’t agree with events that impacted my score, can it be changed?

  • If an employee challenges their score or an event that impacted it, you first need to confirm which events they disagree with, and why. Once you know the events you are looking for, head to the People section of your Human Risks tab, and click on the employee name to view their profile.
    Review the event, and decide if you are going to remove it, or not. Please click here to see our guide on removing events.
    Setting up an internal process to deal with employee event challenges will help you deal with them smoothly.

An example of this could be:

  • Employee raises a challenge through a dedicated form that includes details of the events they disagree with and the reason behind the challenge
  • A CultureAI admin reviews the events challenged
  • A decision is made regarding the challenge, you will need to decide if you agree with the employee, or disagree
  • The event is removed, or left in place
  • The challenge is logged to keep a clear database of how many times an employees has challenged something, and how many events have been removed for them

I didn't click on a phishing link, but CultureAI thinks I have!

  • "False clicks" as they're called, are rare. However, there are a few things that can cause a false click to happen. This is usually a part of your infrastructure that's interacting with your emails. Please contact our support team if you think you have a false click.

    Some of the time, a false click claim can be an employees knee-jerk reaction to being called out for an action. They may not even remember clicking on the link, or feel embarrassed that they did so. When dealing with these situations, you want to start off by looking at the evidence.
    You can send yourself logs of all clicks that occur, this will bring up all the information on the click. Such as IP addresses, hosting providers, exact dates and times etc.
    You can set this up in your interventions section, and it should look like this depending on where you want to send it

    If you didn't set this up before hand, please contact support and we will be able to provide you with the click logs.

    Now that you have all the information about the click, think about the following; 
  • Does the information from the logs match with what you expect? (IP's, date and time)
  • Does the employee have any reason to give, that they didn't click (They were away from their desk, they just opened the email and didn't click on anything etc) If they give you a reason that can be replicated, such as just opening the email, test this out with you watching them to see if the same thing happens.
  • Are you getting lots of reports about false clicks? If something in your infrastructure is causing a false click to happen, you can expect to get a bulk of reports of false clicks from your employees, singular or scattered reports indicate that there is no issue causing a false click.

    In the end, it's up to you if you choose to believe the employee or not. We recommend following a procedure like the one under the "I don't agree with my score" section. 
    While you can use evidence to make a very reasonable conclusion, unless you were watching the employee at the time, you can't 100% know what happened. Please click here to see our guide on removing events.

 

I don't understand a risk on my security centre, can you help me?

If an employee is struggling to understand a risk event they have, you will need to take the time to explain the risk, and why it's been flagged.

There are some key points you can think about;

  1. Was the employee aware of the risk before it was flagged? 
    If an employee didn't know that, for example, they always had to use SSO and not credentials to log in, this could be an indication that they may need a second run through of your companies polices.
    Offering to run through the areas that they seem to have forgotten will refresh their memory and show that the time is being taken to help, rather than the burden of improvement being solely on them.
  2. Do they understand why something they did is considered risky?
    Employees may understand that basic idea around why something is a bad security behaviour, but they may be lacking the more detailed context that helps them to grasp the potential negative results of doing that behaviour.
    For example, they may know that posting a password in Slack public channels is a bad idea, but not why it should be avoided. Giving employees that extra context helps behaviours change and understandings grow.
  3. Do they need extra help or tools to assist them in managing their security behaviours?
    Sometimes, an employee not understanding a certain risk could indicate that something needs to change within their current daily workflow. For example, if they're often accessing websites without using SSO, it may be a good idea to look into getting SSO enabled for them on those websites if they're relevant to your business.
    Offering changes or improvements like this can help employees feel like they're not just being tested, and failing. Instead, it gives the feeling that the company as a whole is making an effort improve security behaviours and their managers are looking out for them.