Skip to main content

Human Risk - Overview

Sebastian Salla
Updated

This article will walk you through all the functionality related to human risk. Human risk scoring is enabled by default on the Reporting page and is updated every 24 hours (or through a manual refresh).

Table Of Contents

  1. What Is Human Risk?
  2. How Is Human Risk Calculated?
  3. How Is Organizational Human Risk Calculated?

1. What Is Human Risk?

CanIPhish extract unique email addresses listed in employee lists and campaign statistics, we then attribute these email addresses to unique employees and investigate their performance across various aspects of the platform to determine their overall human risk.

2. How Is Human Risk Calculated?

Human risk is determined by combining and weighing four human risk factors and one human risk modifier. Each factor is independently scored on a scale of 0 to 100 and then weighted to form the employee’s human risk score. A human risk modifier may be applied over top of the human risk score to influence the final scoring applied The factors, modifiers and their respective weightings are as follws:

Human Risk Factors

  1. Security IQ (35% Weighting)
    • Definition: Inversely correlated to the individual’s Security IQ score.
    • Example: If an employee’s Security IQ is 70/100, the risk points for this factor are 30/100.
    • Note: It is possible to have a negative risk score for this risk factor if the individual has a theoretical Security IQ that is greater than 100. This results in a further reduction in risk to a maximum of -50 risk points, offsetting risk that is obtained through other risk factors.
    • Human Risk Factor Score Range (After Weighting): -17.5% to +35% Human Risk
  2. Phish Risk (35% Weighting)
    • Definition: Directly correlated to the individual’s Phish Risk score.
    • Example: If an employee’s Phish Risk is 70/100, the risk points for this factor are 70/100.
    • Note: It is possible to have a negative risk score for this risk factor if the individual has a theoretical Phish Risk that is lower than 0. This results in a further reduction in risk to a maximum of -50 risk points, offsetting risk that is obtained through other risk factors.
    • Human Risk Factor Score Range (After Weighting): -17.5% to +35% Human Risk
  3. Breach Exposure (15% Weighting)
    • Definition: Based on dark web activity data points. If an employee’s information appears in a data breach, the following risk points are assigned:
      • Breach in Past 12 Months: +25 risk points
      • Breach Contains Password: +25 risk points
      • Employee Not Notified of Breach: +50 risk points
    • Note: If dark web monitoring is disabled, +50 risk points are assigned to each employee by default.
    • Human Risk Factor Score Range (After Weighting): 0% to +15% Human Risk
  4. Engagement (15% Weighting)
    • Definition: Inversely correlated to employee badge scores.
    • Example: If an employee's badge score is 80, the risk points for this factor are 20/100.
    • Note: It is possible to have a negative risk score for this risk factor if the individual has a badge score that is greater than 100. This results in a further reduction in risk to a maximum of -50 risk points, offsetting risk that is obtained through other risk factors.
    • Human Risk Factor Score Range (After Weighting): -7.5% to +15% Human Risk

Human Risk Modifiers

  1. Business Impact
    • Definition: If an employee were to be compromised in a cybersecurity incident, what would the relative impact for your organization be?
      • Low Impact (-20% Human Risk): Compromise of this individual would have minimal business impact, with limited access, low trust, and little to no ability to affect systems, data, or operations beyond their own role.
      • Moderate Impact (+0% Human Risk): Compromise of this individual would cause a noticeable but contained impact, potentially affecting a specific team, function, or limited set of non-critical systems or data.
      • High Impact (+20% Human Risk): Compromise of this individual would have a significant business impact, with the potential to disrupt core business functions, expose sensitive data, or enable lateral movement within the organisation.
      • Critical Impact (+40% Human Risk): Compromise of this individual would pose a severe organisational risk due to elevated privileges or high trust, with the potential for widespread system compromise, major data loss, regulatory exposure, or operational shutdown.
    • Example: If an employee has a base human risk score of 30, and their business impact is set to High, then their human risk will be elevated to 36, reflecting a 20% increase in human risk.
    • Human Risk Modifier Range: -20% to +40% Human Risk Multiplier

By evaluating these factors and modifiers together, CanIPhish provides a comprehensive view of each employee’s overall human risk. This allows organizations to pinpoint and prioritize risk reduction efforts where they are needed most.

2.1 What Are The Human Risk Thresholds?

We bucket users into three human risk thresholds depending on their risk score. These same scoring thresholds are also used when weighing the underlying factors that make up the overall human risk score.

  • 70-100 Risk Score = High Risk
  • 40-69 Risk Score = Medium Risk
  • 0-39 Risk Score = Low Risk

2.2 How Does The Human Risk Algorithm Work?

HumanRiskScore = (SecurityIQRisk×0.35)+(PhishRiskPoints×0.35)+(BreachExposurePoints×0.15)+(EngagementRisk×0.15)

Example Scenario: Dark web monitoring is enabled, and the employee was involved in one data breach in the last 12 months where their password was leaked, but they have since been notified. The employee has a Phish Risk of 40/100, a Security IQ of 65/100, and a Badge Score of 130.

  • Security IQ (Risk) = (35x0.35) = +12.25% Human Risk
  • Phish Risk = (40x0.35) = +14% Human Risk
  • Engagement Risk = (-30x0.15) = -4.5% Human Risk
  • Breach Exposure: (50x0.15) = +7.5% Human Risk

Example Human Risk​ = 12.25% + 14% + -4.5% + 7.5% = +29.25% (Low Human Risk)

3. How Is Organizational Human Risk Calculated?

Organizational human risk is calculated using the same base algorithms and human risk factors, however there are some fundamental differences:

Initial Human Risk Calculation (Calculating The Average Human Risk)

First, CanIPhish calculates the average human risk across all employees, using the exact same calculations outlined above (2. How Is Human Risk Calculated?). This step provides a baseline for comparing individual employee risk levels.

Secondary Human Risk Calculation (Weighting Based On The Average)

Next, each employee’s individual risk is measured relative to this average. Employees whose risk is lower than average are given less weight in the final calculation, and those whose risk is higher than average are given more weight. This ensures that individuals who deviate from the norm, particularly those with much higher risk levels, affect the organization’s overall human risk more significantly.

Final Human Risk Calculation

Finally, the organization’s human risk is determined by combining everyone’s risk with these new weights in place. High-risk employees can therefore have a disproportionately large impact on the organization’s final risk score, reflecting how a handful of highly risky individuals can pose an outsized security threat.

How Is Weighting Determined?

The weight applied to an employee is determined using the algorithm outlined below:

  1. The deviation from the average human risk is determined:
  2. The deviation is clamped to ensure a minimum weighting of 0.25 and a maximum weighting of 4.0, with the average weighting being 1.0. For example, if an employee’s human risk is five times the average, their weight is capped at 4.0 (quadruple the average weight):
  3. Organizational risk is then computed based on the weighted risk of individual employees:

Why Weighting Matters

This weighting approach is designed to mirror real-world impact:

  • A small number of high-risk employees can dramatically weaken an organization’s security posture, so their impact on the overall score is amplified.
  • Employees with comparatively low risk still count, but they do not dilute the score to the point where serious human risks are overlooked.

This ensures the final organizational risk metric provides a more accurate reflection of the security threats posed by higher-risk individuals.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk