Understanding the Scores you can see on your People tab
When you look at the People section of your Human Risks tab, you will see two separate scores. An Employee Risk Score, and their Security Behaviour Score. Both scores are based on your employees’ security actions - such as phishing simulations and associated interactions, password hygiene, corporate email address breaches, SaaS usage and the likes.
Only users with access to the CultureAI Admin dashboard can see this score. Your employees will not be able to view this.
This shows you how much of a security risk this employee poses to your company. The higher this score is, the higher the risk they pose. This data is surfaced to provide quick insights of who in your business may need support and enablement around risk awareness tied to their behaviours.
An employees risk score is calculated based on their Security Behaviour Score, their job role within your company and if they have previously fallen for phishing emails, making them more likely to be targeted in the future.
Security Behaviour Score
This is the score your employees can view in their Security Centre (the CultureAI employee portal).
This score will dynamically change/update based on your employees’ security behaviours (and your employees can see further context directly around why and how their scores are impacted within their Security Centre itself by clicking 'View my risks').
Their score will improve or reduce depending on their behaviours. Negative security actions will result in scores reducing, whilst positive actions will increase scores.
If you hover over the pink/amber/green security behaviour circles next to the security behaviour score ‘Security Behaviours’, this will give you and overview about this employees behaviours.
This is a good way to a quick bitesize understanding of what actions an employee has taken that impacts their score.
How are scores calculated?
The scores don't work on a "Points based" system. For example, clicking on a Phishing email link does not equal minus 20 points.
CultureAI uses a clever algorithm to asses employee behaviour patterns, the average behaviour of that employee, their current score and various other aspects of their profile, such as their job role, and how often they engage in negative or positive security behaviours. This is then all pulled together to calculate their new score.
This treats every employee as an individual, and prevents employees from picking up on patterns and figuring out how to manipulate their behaviour score - which would lead to an inaccurate portrayal of that employee behaviour score and thus your organisation risk.
What impacts an employee score and how do I see that?
Any behaviours that you are monitoring will impact the employee score. This is based on:
- Data sources you have enabled (Email Phishing, Chrome, Slack etc)
- The settings you have within those data sources (Approved SaaS apps, tracking MFA etc)
To get a more detailed guide on the information you can find in your People tab and how to navigate it, please click here
Can I change employee scores if they challenge something that impacted it?
While you cannot directly change an employee score, you can remove any events that impacted their score if you so choose. This will recalculate their score, to reflect the event being removed.
You can do this via the event removal tool. Removing the event will remove any impact the event had to their score.
Could an employee falsely inflate their score by re-doing training, or reporting lots of emails?
The short answer is no. CultureAI has various settings in place to prevent scores from being artificially inflated.
If a user reports a potential phishing email, their score would improve for this. If you then review this report in the issues triage section, and mark it as a false positive (deciding that it wasn’t a phishing email) the positive score impact they earned for this would be removed. So employees are not able to artificially inflate their score by reporting lots of emails.
An employee's score for completing training will only be positively impacted once, while they could re-take training if they liked, they won't improve their score by doing this.
How can employees see their score?
Employees can view this in their Security Centre ‘Risks’ tab for a clear break down of what has impacted their score.
If they hover over the icons under ‘What impacted my score’ they can see exactly the behaviour that impacted their score (positively, or negatively)
FAQ’s from employees
My score is really low! Why is that?
You should first direct your employees to look at the Risks tab in their security centre. This will provide visibility of all the events that have impacted their score. Ask them to review the red events, and look to improve behaviour in those areas. As their behaviour improves, so will their score.
I don’t agree with events that impacted my score, can it be changed?
If an employee challenges their score, you first need to confirm which events they disagree with, and why. Once you know the events you are looking for, head to the People section of your Human Risks tab, and click on the employee name to view their profile.
Review the event, and decide if you are going to remove it, or not.
Setting up an internal process to deal with employee event challenges will help you deal with them smoothly.
An example of this could be:
- Employee raises a challenge through a dedicated form that includes details of the events they disagree with and the reason behind the challenge
- A CultureAI admin reviews the events challenged
- A decision is made regarding the challenge, you will need to decide if you agree with the employee, or disagree
- The event is removed, or left in place
- The challenge is logged to keep a clear database of how many times an employees has challenged something, and how many events have been removed for them
I don't understand a risk on my security centre, can you help me?
If an employee is struggling to understand a risk event they have, you will need to take the time to explain the risk, and why it's been flagged.
There are some key points you can think about;
- Was the employee aware of the risk before it was flagged?
If an employee didn't know that, for example, they always had to use SSO and not credentials to log in, this could be an indication that they may need a second run through of your companies polices.
Offering to run through the areas that they seem to have forgotten will refresh their memory and show that the time is being taken to help, rather than the burden of improvement being solely on them.
- Do they understand why something they did is considered risky?
Employees may understand that basic idea around why something is a bad security behaviour, but they may be lacking the more detailed context that helps them to grasp the potential negative results of doing that behaviour.
For example, they may know that posting a password in Slack public channels is a bad idea, but not why it should be avoided. Giving employees that extra context helps behaviours change and understandings grow.
- Do they need extra help or tools to assist them in managing their security behaviours?
Sometimes, an employee not understanding a certain risk could indicate that something needs to change within their current daily workflow. For example, if they're often accessing websites without using SSO, it may be a good idea to look into getting SSO enabled for them on those websites if they're relevant to your business.
Offering changes or improvements like this can help employees feel like they're not just being tested, and failing. Instead, it gives the feeling that the company as a whole is making an effort improve security behaviours and their managers are looking out for them.