This article describes how the Risk Scoring is calculated in SMARTFENSE and how to interpret the risk levels of each user, group, and the organization in your instance. It also explains the available charts for risk analysis and monitoring.
Objective
The objective of the Risk Scoring is to answer the following key questions for the instance administrator:
What is the risk level of each user in the organization?
What is the risk level of each user group?
What is the overall risk level of the organization?
To achieve this, SMARTFENSE shows a table with general information and also a detailed Risk Scoring for each user, group, and the organization.
Risk scoring
User risk scoring
Group risk scoring
Organization risk scoring
Risk Scoring
The Risk Scoring is a proprietary SMARTFENSE calculation based on the general theory of risk scoring, applicable both in awareness and in other domains (for example, banking). It is a number that reflects how severe a risk is based on the presence of certain factors.
The value can range from 0 to 100.
The higher the number, the greater the risk it represents.
Additionally, the scoring value is associated with a qualitative scale. This scale allows each organization to develop internal policies and define specific actions for each measured risk level.
Calculation Components
By definition, the calculation of Risk Scoring in SMARTFENSE is designed to be simple to perform and easy to understand. The calculation components are clear and their presence is justified. No black box processes such as machine learning or similar technologies are used for this calculation.
Thus, the Risk Scoring result is transparent and understandable for administrators.
Risk to be analyzed
The risk measured is that the organization suffers an information security incident related to the human layer.
Risk factors
The risk factors are directly related to the risky actions or behaviors that an end user may perform.
These actions can increase or decrease the organization’s exposure to the analyzed risk. To measure these factors, simulation campaigns of phishing, ransomware, and smishing are used.
Weights
The weights indicate the criticality of each risk factor measured in the Phishing, Smishing, and Ransomware simulation campaigns.
Phishing:
Risk factor |
Weight |
Sent |
Null |
Opened |
Low |
Clicked on the link |
Medium |
Data entry |
High |
Smishing:
Risk factor |
Weight |
Sent |
Null |
Delivered |
Null |
Clicked on the link |
Medium |
Data entry |
High |
Ransomware:
Risk factor |
Weight |
Sent |
Null |
Opened |
Low |
Ransomware downloaded |
Medium |
Ransomware opened |
High |
Attached Ransomware opened |
High |
Possible encryption in folder |
High |
Occurrence Probability
The probability of occurrence of each risk factor is calculated per user taking into account:
The number of simulation campaigns of Phishing, Smishing, and Ransomware in which they participated.
The number of risky actions performed in those campaigns.
The probability evolves in a logarithmic manner according to the number of actions performed by the user in the last 100 campaigns.
Example:
Number of campaigns |
Risk actions |
Occurrence probability |
1 |
1 |
100% |
2 |
1 |
86.94% |
3 |
1 |
67.74% |
The probability of occurrence is calculated:
For each risk factor.
For each user, individually.
For example, a user will have:
A specific probability of opening a phishing email.
Another probability of clicking the link in phishing.
Another for data entry, and so on for each measured factor.
Redemption
The Redemption allows each user’s Risk Scoring to decrease as they do not perform risky actions in the Phishing, Smishing, and Ransomware campaigns to which they are assigned.
Redemption brings the particular scoring of each user’s risk factor to 0 if they do not perform unsafe behaviors. The scoring decreases following a logarithmic curve.
When the user performs a risky action, the Redemption corresponding to that particular risk factor is canceled.
Penalty
The Penalty raises the scoring of each particular risk factor of a user to 100 if they perform 5 recent risky actions.
The last 5 campaigns of the user are taken.
According to the number of risky actions in those campaigns, the Penalty is calculated.
This allows alarms to be triggered when a user who had been behaving correctly begins to perform risky actions in a recent period.
Qualitative scale
The following qualitative scale is applied to rate the different risk levels derived from the Risk Scoring:
Low |
0 to 20 |
Medium low |
20 to 40 |
Medium high |
40 to 60 |
High |
60 to 80 |
Very high |
80 to 100 |
Campaigns considered in the calculation
The calculation of Risk Scoring considers simulation campaigns of Phishing, Smishing, and Ransomware that are completed. Test campaigns are not taken into account.
Interactions generated by software can be considered or not, depending on whether you decide to Show or Hide them in the Settings > Security > Whitelist section.
User risk scoring
We already know the components that impact the Risk Scoring calculation based on each user’s actions. SMARTFENSE offers a heat map per campaign (phishing, ransomware, and smishing) to analyze the relationship between the probability of occurrence of a risky action and its potential impact. To view the heat map:
Go to Audit - Campaign Detail.
In the Charts section, you will see the heat map corresponding to that campaign.
In SMARTFENSE, the following analysis is performed for each platform user:
The last 100 campaigns of Phishing, Smishing, and Ransomware in which the user participated are taken.
The interactions performed by the user in each campaign are considered.
These interactions are grouped into three categories:
Low-risk actions
Opening phishing simulation emails.
Opening ransomware simulation emails.
Medium-risk actions
Clicking the link in a Phishing or Smishing simulation.
Downloading a file in a Ransomware simulation.
High-risk actions
Entering data in a Phishing or Smishing simulation.
Opening an attachment downloaded from a Ransomware simulation.
According to their history, each user has a determined probability of performing each category of actions.
Heat map by campaign mode
In Phishing or Ransomware simulation campaigns with single initial assignment mode and specific expiration date, the heat map is shown once the campaign ends. It considers the user’s behavior in the current campaign and also behavior in the last 100 campaigns of Phishing or Ransomware simulation.
In campaigns with recurring assignment mode and relative duration, the heat map updates as users assigned recurrently complete the campaign.
The heat map of a campaign does not change over time. It can be consulted at any future time, and the result will always be the same.
| Important: modifying user status has a direct effect on the organization’s heat map. This effect is not immediate, as the map updates every 24 hours. |
User risk scoring charts
To analyze the users’ Risk Scoring:
Go from the SMARTFENSE menu to Risk Scoring > Users.
You will see a table with the list of users in your organization.
You can filter by group, functional area, and level of hierarchical.
If you want to see the risk scoring evolution of a particular user, find the user in the table, enter the user detail, and you will see the following charts:
Current risk scoring.
Evolution over time.
Risk factor.
These charts help the administrator identify risk trends and make decisions about training and corrective actions.
Group risk scoring
The Risk Scoring of a group is calculated as a weighted average of the scoring of each user who is part of the group. More weight is given to users who present a higher risk.
The weight of each Risk Scoring range is as follows:
Scale |
Scoring |
Weight |
Low |
0 to 20 |
25 |
Medium low |
20 to 40 |
25 |
Medium high |
40 to 60 |
50 |
High |
60 to 80 |
100 |
Very high |
80 to 100 |
100 |
Inactive users within the group are not considered.
The Risk Scoring of inactive groups is not updated.
| Important: modifying group composition (adding, removing, activating, or deactivating users) has a direct effect on the group’s Risk Scoring. This effect is not immediate, as the scoring update occurs every 24 hours. |
Group risk scoring charts
To analyze the Risk Scoring of groups:
Go from the SMARTFENSE menu to Risk Scoring > Groups.
You will see a list of groups in your organization.
If you want to see the risk scoring evolution of a particular group, find the group in the list, enter the group detail, and you will see the following charts:
Current risk scoring.
Evolution over time.
Risk factor.
These charts help identify which groups represent higher risk and prioritize training actions or adjustments in the security strategy.
Organization risk scoring
By entering Risk Scoring > Organization from the SMARTFENSE menu, you can see the overall evolution of your organization based on users’ actions in the various components that impact the Risk Scoring calculation.
The available charts allow you to:
Visualize the general risk trend of the organization.
Identify periods of risk increase or decrease.
Facilitate strategic security decision-making at the organizational level.
💡 Best practices
Regularly review the Risk Scoring of Users, Groups, and Organization to detect risk trends and react in time.
Use Phishing, Smishing, and Ransomware campaigns continuously to keep the probability of occurrence of risk factors updated.
Take advantage of Redemption as an incentive to improve user behavior, reinforcing the importance of not performing risky actions.
Monitor users with active Penalty and consider specific training actions or additional communication by the instance administrator.