This article describes the four reports available in the Risk and behavior card in the Reports section of SMARTFENSE. To access each one, go to the Reports menu, locate the Risk and behavior card, and click the corresponding eye icon.
User profile
Individual view of a user's awareness profile: their risk level and trend, how they respond to attack simulations, their training progress, and their proactive activity. All information is read-only. One user is displayed at a time.
Header indicators: Risk level (Low · Medium-low · Medium-high · High · Very high), Trend (Improving · Worsening), % training, and user status (Active).
Report sections:
- Profile: identity and organizational context (area, level, groups, role, last access).
- Risk: current score, trend, and comparison with the average for the area and the organization.
- Attack simulations: simulations received, in which the user fell, and reported, covering phishing, smishing, ransomware, and USB Drop, plus resilience (reports ÷ falls).
- Awareness campaigns: status of training assigned by campaign. Assigned = Completed + Pending; overdue items are a subset of pending. Includes CSV download with detail by content, dates, and status.
- Proactive activity: contents the user consumed on their own initiative, outside of any assigned campaign, with their status (Completed / Started) and the date of the last interaction. Includes CSV download.
- Gamification: chronological log of points and badges. Includes CSV download.
Comparison of groupings
Places functional areas, hierarchical levels, or groups side by side to compare how each one stands in terms of risk, behavior in simulations, training, and voluntary use. Allows you to identify at a glance where to intervene first. This is a snapshot of the current status based on active users.
Compare by selector: chooses the row grouping (Functional area, Hierarchical level, or Group).
Filters: Groups, Functional Areas, Levels of Hierarchy, Smart Groups. They narrow the population and recalculate the entire comparison.
Comparison: table with one row per grouping, sorted from highest to lowest risk, with the following columns:
- Users: number of active users in the grouping.
- Average risk: average risk level with its band (Low … Very high). No score: "No record".
- % drop: percentage of simulations in which users fell (click, data entry, download, opening/execution); excludes software actions (false positives).
- Resilience: how many simulations are reported per fall, only for phishing and ransomware. Strong (3 or more), Media (between 1 and 3), or Weak (less than 1). No falls: "No falls"; no reportable simulations: "No data".
- % training: training content completed out of assigned.
- % proactive adoption: percentage of users who used the platform on their own initiative (outside of a campaign).
Includes CSV download with all groupings.
Priority users for intervention
Ordered follow-up list from highest to lowest risk. Identifies who to attend to first; select a user to open their detail record. This is the work queue for interventions (1:1 meetings, reinforcements); the bridge between Comparison of groupings (which area or group is worse) and User profile (the detail for one person).
By default shows Very high and High risk levels. This is a snapshot of the current status based on active users.
Filters: Risk level, Groups, Functional Areas, Levels of Hierarchy, Smart Groups, and Activity (filters between all users or only those who never accessed).
Users: table with one row per user and the following columns:
- Risk level: Low · Medium-low · Medium-high · High · Very high. "No record" if the user has no score yet.
- Trend: compares the current score with the average of the last 30 days. "Worsening" (↑) if rising; "Improving" (↓) if falling. Less than one month of history: "No data".
- Behavior in simulations: based on recent simulations (phishing, smishing, ransomware, USB Drop). Repeat offender · To observe · Improving · Solid.
- Recent drops (90 days): number of compromising simulations (click, data entry, download, or opening) with the date of the last fall. Excludes software actions (false positives).
- Expired training: number of assigned training campaigns whose deadline has passed and the user has not completed.
- Last access: date of the user's last login to the platform. "Never accessed" identifies users who have never logged in and typically require resending the invitation or escalating to the responsible manager.
Includes CSV download with the full filtered list.
Awareness references
Positive counterpart to Priority users for intervention: shows users who stand out for their good security behavior, for recognition, sharing good news with management, and feeding into gamification.
The absence of a user from this report does not imply poor performance: it may be due to insufficient evidence (for example, a new area with few simulations).
To appear as a reference, a user must meet a minimum evidence requirement (at least 3 reportable simulations received and assigned training) and the reference criteria: low-band risk (Low or Medium-low), no falls in the last 90 days, Solid or Improving behavior, Media or Strong resilience (or no falls but with reports), training up to date (no overdue items and at least 85% completed), and recent access to the platform.
Filters: Groups, Functional Areas, Levels of Hierarchy, Smart Groups.
References: table sorted from highest to lowest resilience, with the following columns: Area / Level / Group, Risk level, Resilience, Behavior in simulations, Completed training (e.g. 12/12), Proactive use, and Last access.
Includes CSV download with the full list.
💡 Best practices
- Use Comparison of groupings to identify areas with the highest average risk or highest % drop and prioritize where to direct interventions.
- Use Priority users for intervention as a weekly work list: review trends (who is worsening) and expired training to act before risk accumulates.
- Open User profile when starting a follow-up conversation: it brings together in one screen the user's risk, simulation history, and training progress.
- Use Awareness references to communicate achievements internally: sharing results with management or including references in gamification initiatives reinforces the security culture.
- Cross-reference both lists: if a reference user shares an area with several priority users, they can be a key ally in promoting good practices within their team.