Understanding the different scores used across CultureAI
What are scores?
CultureAI uses scores to give you a quick, at a glance overview of how well an employee is doing in terms of their security behaviour within your organisation. These scores can be used as an indicator for you to help identify employees that need extra guidance and support, or recognition for behaving securely and making positive decisions.
CultureAI has three scores used across the dashboard.
- Risk Score
- Cyber Security Score
- Leaderboard Score
In this guide, we'll cover each of these scores, how they're calculated and what can impact a score.
How are they calculated?
All scores use the same sets of data, but use a slightly different algorithm to calculate each score for each individual employee.
Click here to see all the behaviours that will impact an employee's scores.
It is important to note that scores do not work on a points-based system i.e; clicking on a phishing link = minus 20 points
They are dynamically calculated when a new behaviour is detected.
The following is taken into account when calculating scores:
- Employees security behaviours (day to day decisions employees make when
working i.e., use of the business data, email etc.) - The history of their security behaviours (Are they improving, or getting worse)
- Their job role (if available)
What will not be used to calculate scores;
- Logging into the Security Centre
- Spending Security Credits (if you have these enabled)
- Completing training
- Accepting policies
Scores Overview
Risk score
An employee's Risk Score shows you how much of a security risk this employee poses to your company. The higher this score is, the higher the risk they pose.
This is calculated by weighing their Cyber Security Score against;
- Likelihood of falling for an attack
- The estimated impact on your company if they are breached
- The severity of the risks they create
- How long those risks would impact your company
Only admins users of the platform can view this score, employees won't be able to view it.
This is intended to give an overview of which employees pose the biggest risk to your company so you can quickly see who may need immediate support in improving their behaviours.
You can view this score by heading to your People Page in your Human Risks section of the dashboard.
Cyber Security Score
The Cyber Security Score is the employee-facing score that they can view in their Security Centre
It gives employees a personal view of their security behaviours and how well they're doing at a glance. This score isn't visible to other employees, or admins (unless they impersonate them in the Security Centre).
It's their own, personal score and is intended to encourage employees to interact with the Security Centre and look at ways they can improve their score.
The score uses;
- The amount of positive and negative behaviours seen by the employee
- The severity or positivity of those behaviours
- The duration of the impact their behaviours will have
Leaderboard Score
The Leaderboard Score will only be visible if you've enabled your leaderboard within the Gamification section of the admin dashboard.
It's intended for use with gamification, giving you a chance to set up some healthy competition between your employees/departments. Employees can view their leaderboard via the Security Centre. Please click here to see our guide on setting this up.
The Leaderboard Score is based on your employee's Cyber Security Score (though it's not a 1-1 match, keeping employees Cyber Security Score private)
It's scaled by a 90-day grace period from the date an employee was first synced to CultureAI, this prevents new employees from instantly being at the top of the leaderboard.
The effect of any behaviours will be scaled down in the first 3 months, this will result in behaviours having much less effect on leaderboard scores during that time, and your employees scores may all be the same during this period.
If you are planning on using the leaderboard for gamification, it's best to wait till three months has passed to allow events and behaviours to fully impact scores.
Completing assigned training will have a positive impact on the leaderboard scores. Completing training will not impact any other scores.
How long does a risk impact an employee's score?
Different risks will impact an employee's score for different periods of time, depending on the severity of that risk.
For example, something like having MFA disabled may only impact someone's score for a month, while being involved in a work data breach may impact that employees score for up to a year.
If an employee is off work for an extended period, their score will change over time
as the risks they initially created stop impacting their score.
Can admins change scores?
While you cannot directly change an employee's score, you can remove any events that impacted their score if you so choose. This will recalculate their score, to reflect the event being removed.
You can do this via the event removal tool. It should be noted that this action is permanent
and should only be used if you are positive that the event must be removed, for example,
you believe the event did not occur.
Closing off any raised risks as "Safe" or a "False Positive" will also remove some of the negative impact that risk had on an employees score, though it may not remove it entirely. To completely remove the impact, you would need to delete the event.
Could an employee falsely inflate their score by re-doing training, or reporting lots of emails?
The short answer is no. CultureAI has various settings in place to prevent scores from being artificially inflated.
If an employee reports a potential phishing email, their score would improve for this. If you then review this report in the issues triage section, and mark it as safe (deciding that it wasn’t a malicious email) the positive score impact they earned for this would be removed. Therefore, employees are not able to artificially inflate their score by reporting lots of emails.
Completing training will only positively impact an employee's Leaderboard Score, and it will only impact their score once. While they could re-take the training if they liked, but this wouldn't improve their Leaderboard Score.
If an employee is off work, what happens to their scores?
If an employee is away from work for an extended period, such as taking maternity leave or long-term sickness, their score will still change over time.
For example, if an employee generated a number of risks before they went away, by the time they return their score will likely have improved as those risks have since lost impact and they haven't been around to generate any new risks that would contribute to their score.
This can have an impact on your Leaderboard, as those absent employees would rise in the ranks as their score improves.
To mitigate this, we recommend creating a group in your synced Directory, and adding that group to the syncing exclusions filter in CultureAI. This will remove them from leaderboard rankings, so only active employees are included.
Once they return to work, you can remove them from this group in your Directory and they will be re-activated in CultureAI. All their previous data will still be there, so they can pick up from where they left off.
You can set this up by heading to your Users and Access page in CultureAI and clicking into the User Syncing section. Click the three dots next to your sync source and click 'Edit', click through the options till you reach the filter settings page, and enter your group number there.
Score FAQ’s from employees
My score is really low! Why is that?
You should first direct your employees to look at the Risks tab in their security centre. This will provide visibility of all the events that have impacted their score. Ask them to review the red events, and look to improve behaviour in those areas. As their behaviour improves, so will their score.
I don’t agree with events that impacted my score, can it be changed?
If an employee challenges their score, you first need to confirm which events they disagree with, and why. Once you know the events you are looking for, head to the People section of your Human Risks tab, and click on the employee name to view their profile.
Review the event, and decide if you are going to remove it, or not.
Setting up an internal process to deal with employee event challenges will help you deal with them smoothly.
An example of this could be:
- Employee raises a challenge through a dedicated form that includes details of the events they disagree with and the reason behind the challenge
- A CultureAI admin reviews the events challenged
- A decision is made regarding the challenge, you will need to decide if you agree with the employee, or disagree
- The event is removed, or left in place
- The challenge is logged to keep a clear database of how many times an employees has challenged something, and how many events have been removed for them
I don't understand a risk in my security centre, can you help me?
If an employee is struggling to understand a risk event they have, you will need to take the time to explain the risk, and why it's been flagged.
There are some key points you can think about;
- Was the employee aware of the risk before it was flagged?
If an employee didn't know that, for example, they always had to use SSO and not credentials to log in, this could be an indication that they may need a second run through of your companies polices.
Offering to run through the areas that they seem to have forgotten or were not aware of will refresh their memory and show that the time is being taken to help, rather than the burden of having them improvement being solely on them. - Do they understand why something they did is considered risky?
Employees may understand that basic idea around why something is a bad security behaviour, but they may be lacking the more detailed context that helps them to grasp the potential negative results of doing that behaviour.
For example, they may know that posting a password in Slack public channels is a bad idea, but not why it should be avoided. Giving employees that extra context helps behaviours change and their understanding of risks grow. - Do they need extra help or tools to assist them in managing their security behaviours?
Sometimes, an employee not understanding a certain risk could indicate that something needs to change within their current daily workflow. For example, if they're often accessing websites without using SSO, it may be a good idea to look into getting SSO enabled for them on those websites if they're relevant to your business.
Offering changes or improvements like this can help employees feel like they're not just being tested, and failing. Instead, it gives the feeling that the company as a whole is making an effort improve security behaviours and their managers are looking out for them.