Business Impact (Human Risk Metric)

In this article, we'll walk through everything you need to know about the business impact metric and how business impact rules work. We recommend using our interactive guide to help get you started!

For those looking to learn more, let's begin.

What Is The Business Impact Metric?

The Business Impact metric is an employee-level modifier used to influence Human Risk Scoring. It adds context about the potential organizational impact if a specific employee were breached during a cybersecurity incident, based on the role they perform. By applying business impact classifications (for example, Critical, High, Moderate, or Low), you can prioritize risk more accurately, ensuring that employees in higher-impact roles contribute more strongly to overall risk scoring and reporting.

What Are Business Impact Rules?

Business Impact Rules let you automatically assign a Business Impact classification (Critical, High, Moderate, or Low) to employees based on identifying attributes in their job title. Each rule includes an identifier and a priority. When multiple rules could match the same employee, the rule with the highest priority is applied.

These rules help automate employee-level business impact classification by removing the need to manually categorize each employee one by one. Instead, you define reusable criteria (for example, matching job titles like "*executive*" or "finance manager"), and CanIPhish applies the correct business impact category across your workforce. This keeps classifications consistent, reduces administrative effort, and ensures business impact settings scale automatically as employees are added or job titles change.

How Business Impact Influences Human Risk

Depending on the Business Impact classification assigned to an employee, there can be an amplification (up to +40%) or a reduction (up to -20%) in human risk. The degree of amplification or reduction is outlined in the table below:

• Low Impact (-20% Human Risk): Compromise of this individual would have minimal business impact, with limited access, low trust, and little to no ability to affect systems, data, or operations beyond their own role.
• Moderate Impact (+0% Human Risk): Compromise of this individual would cause a noticeable but contained impact, potentially affecting a specific team, function, or limited set of non-critical systems or data.
• High Impact (+20% Human Risk): Compromise of this individual would have a significant business impact, with the potential to disrupt core business functions, expose sensitive data, or enable lateral movement within the organisation.
• Critical Impact (+40% Human Risk): Compromise of this individual would pose a severe organisational risk due to elevated privileges or high trust, with the potential for widespread system compromise, major data loss, regulatory exposure, or operational shutdown.

Example: If an employee has a base human risk score of 30, and their business impact is set to High, then their human risk will be elevated to 36, reflecting a 20% increase in human risk.

Human Risk Modifier Range: -20% to +40% Human Risk Multiplier

How Business Impact Rules Work

Business Impact Rules automatically assign a Business Impact classification to employees by comparing each employee’s job title (or other supported identifiers) against the rule Identifier. Rules are evaluated using a priority-based system to ensure the most important (most specific) rules “win” when multiple rules could apply.

Rule Priority (1–1000)

Each rule includes a Priority value from 1 to 1000:

• 1 is the highest priority (applies first / overrides others).
• 1000 is the lowest priority (applies last / is most easily overridden).

If multiple rules match the same employee, CanIPhish applies the rule with the highest priority (the lowest number). Lower-priority rules are superseded by higher-priority rules.

A valid priority must be within 1–1000. Values outside this range are invalid and should be adjusted before saving.

Identifier Matching & Wildcards

The Identifier determines which employees a rule targets. Identifier matching is case-insensitive.

You can also use the wildcard character * to broaden the match:

• Prefix wildcard: *executive matches job titles that end with “executive”
• Suffix wildcard: executive* matches job titles that start with “executive”
• Both ends: *executive* matches job titles that contain “executive” anywhere

Wildcards are useful for covering variations in job titles (e.g., “Executive Assistant”, “Senior Executive”, “Chief Executive Officer”) without creating many individual rules.

Applying & Maintaining Rules

• Rules are evaluated by priority, ensuring consistent results even when multiple identifiers overlap.
• Classifications are automatically re-applied on a routine schedule (daily), so new employees and job title changes are picked up without manual rework.

Frequently Asked Questions

How do I categorize employees who don’t have a job title?

If an employee’s job title is blank (or missing), CanIPhish treats it as unknown. To categorize these employees, create a Business Impact Rule with the identifier unknown.

This identifier will match any employee whose job title is empty or is already set to unknown.

When are Business Impact Rules applied?

Business Impact Rules are automatically re-applied every 24 hours. This daily sync ensures:

• New employees are captured and assigned a business impact classification.
• Employees with updated job titles are re-evaluated and reclassified if needed.

Do I need to re-save rules after adding employees or changing job titles?

No. As long as a rule exists that matches the employee’s job title (or unknown), the daily re-application will handle it automatically.

How does AI-powered rule generation work?

This AI-powered Business Impact rule generator reviews employee job titles and how often each title appears. It then produces Business Impact rules based on common patterns of which roles typically carry higher or lower business impact.

It also respects any existing manual rules you already have, and orders all rules by priority so higher-priority rules are applied first. Finally, it estimates how many employees each rule applies to and returns a complete, ready-to-use rule set.