This article will take you through employee risk scoring functionality. This functionality is enabled by default on the Reporting page and is updated every 24 hours (or through a manual refresh).
1. What is Employee Risk Scoring?
CanIPhish extract unique email addresses listed in target lists and campaign statistics, we then attribute these email addresses to unique employees and investigate their performance in historic campaigns to understand the overall phish risk they pose to your business.
Phish risk scores are graded out of 100 with 0 representing the lowest risk and 100 representing the highest risk.
2. How are scores calculated?
CanIPhish consider employee performance over the past 20 campaigns an employee has participated in. More recent campaigns are weighted more heavily and we consider both if a user clicked on a payload and whether they were compromised by that payload.
2,1 What are the risk score thresholds?
We bucket users into three risk thresholds depending on their risk score:
- 70-100 Risk Score = High Risk
- 40-69 Risk Score = Medium Risk
- 0-39 Risk Score = Low Risk
2.2 How does the risk scoring algorithm work?
Each campaign consists of a possible 200 risk points. If an employee clicks on a payload, then they receive 100 risk points. If the employee then proceeds to get compromised by the payload, they receive an additional 100 risk points - totalling to a maximum of 200 for a campaign. If the employee doesn't click on the payload or get compromised, then they receive 0 risk points.
Recent campaigns are weight more heavily than historic campaigns and this is reflected in the way risk points are scored. Risk points attributed to previous campaigns are weighted 20% lower than the campaign before it.
Example: Employee firstname.lastname@example.org has participated in 5 phishing campaigns and has varied success with detecting the phish.
- Most recent campaign: Clicked payload but wasn't compromised: 100/200 risk points
- 2nd most recent: Didn't click payload and wasn't compromised: 0/200 * 0.8 = 0/160 risk points
- 3rd most recent: Clicked payload and was compromised: 160/160 * 0.8 = 128/128 risk points
- 4th most recent: Clicked payload and wasn't compromised: 64/128 * 0.8 = 51.2/102.4 risk points
- 5th most recent: Clicked payload and was compromised: 102.4/102.4 * 0.8 = 81.92/81.92 risk points
Risk Score = Risk Points / Possible Risk Points = 426.4/672.32 = 0.634 * 100 = 63/100 (Medium Risk)