Human Risk Command Center - Overview

This article contains information on using the Human Risk Command Center to identify and analyze Risky User Behaviors, manage Watchlists, and explore Action Logs, and Event Logs.

Overview

The Human Risk Command Center (HRCC) enables you to identify your riskiest users with unprecedented visibility. Leveraging data from your Mimecast security ecosystem provides a centralized view of human risk across your organization. 

This may include email security, data from other Mimecast human risk solutions such as Incydr or Engage, as well as data from any other configured third-party human risk integrations, such as CrowdStrike or Microsoft Defender endpoint security data. Dashboard data sources and risk data displayed depend on the scope of your integrations. The more integrations you install, the richer your scoring and dashboard will be, to more accurately portray the human risk in your ecosystem.  Within the Human Risk Command Center, you can carry out searches, basic filtering, and high-level Human Risk analysis.

Considerations

We currently support Human Risk Management exclusively for manual and Directory Synchronization users; this feature is not available for users classified as message in transit.

Prerequisites

You have one of the following roles:

  • HRCC Administrator.
  • Security Awareness Administrator.
  • Super Administrator.
  • Basic Administrator.
  • A custom role that includes all of the following:
    • Human Risk Command Center: Edit, Read permissions.
    • Directories: Groups: Read permissions.
    • Directories: AD Groups: Read permissions.

See Roles - Understanding Administrator Roles for more information.

Human Risk Command Center Navigation

You can navigate to the Human Risk Command Center by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. The Human Risk Command Center section entries will appear in the left navigation area, following the Analysis and Response entry.
  3. Scoring group selection: Customers who have not previously specified a security Awareness Training group, Mimecast Engage, or Mimecast Awareness Training will be prompted to select a risk scoring group via Go to User Group Settings. The scoring group to be used can either be the pre-determined default group, or a group you can specify. This selection is made in the Settings area. See more information in the Settings section below.

configureusergroups.png

You can limit access to the Human Risk Command Center via custom administrator roles.
By default, roles include the "Human Risk" privilege. If you wish to limit Human Risk Command Center access, you can create new role(s) or edit existing ones and remove the "Human Risk: Read" and/or "Human Risk: Edit" privilege(s), then assign your administrators to roles with limited or no Human Risk access if you choose.

Human Risk Command Center Operation

  1. The Human Risk Command Center contains these core sections: Human Risk Dashboard, Risk Analysis, Risk Activity, and Settings.
  1. The Human Risk Dashboard displays:
  • Timeframe: This field allows you to select a Timeframe for your organization's Human Risk Command Center data of 3, 6, or 12 months.
  • Score trends over time: This displays the Human Risk score over time as well as the Risk Responses for some customers per above. Risk Responses are actions taken by Mimecast in response to user behavior. For Engage customers, this currently consists of Nudges, which is a type of Notification.  
  • Human Risk Score: This is based on your users' behavior and actions. This is calculated based on both the good actions (e.g., reporting a Phishing email) and the bad actions (e.g., clicking on a Phishing link) that your users take.
    See Human Risk Scoring.
  • Human Risk Behaviors: This measures how your users engage in risky behaviors in different categories. Categories that may appear, depending on your Mimecast product ownership and installed integrations, include Actual Phishing, Simulated Phishing, Training, Malware, and Sensitive Data Handling. A list of available integrations can be found in the Integration Hub, located in the APIs and Integrations section of your administrative console. Also refer to API & Integrations.

    It's possible to View Details to see more information. Details include Events Over Time, Individual Performance, Score Breakdown, and Latest Events.

  • Attack Factor: This displays how frequently your users are being attacked (e.g., being targeted by real phishing emails) compared to the rest of your organization. This does not contribute to the Human Risk Score because it is from external sources and out of your users' control. 
  • Highest Risks: This can show the highest-risk individuals, departments, and locations as well as their Human Risk score.
     From here you can:
    • Click on View all High Risk Individuals to see an expanded view. This will take you to the Risk Analysis page, sorted in order of greatest to least human risk score.
    • Click on Individual to view more details. This will take you to the Individual Risk Profile.
  • Filtering by Departments or Locations will aggregate the scores for the selection made. Depending on the filter, you can also select one of the following options for an expanded view and be redirected to the Risk Analysis page.
    • View all high-risk individuals.
    • View all high-risk departments.
    • View all high-risk locations.                          
 
  • By clicking on the Department or Location, you will also be directed to the Risk Analysis page, where you can see the employees associated with that selection.
  • When clicking on each employee, you will be able to see the Individual Risk Profile of that employee.
  • The Individual Risk Analysis Profile also includes information on the Position, Department, Location and Manager of the selected individual, depending on information from Directory Sync.
 
  • Most Attacked: This shows the most attacked individuals, as well as their associated Attack Factor. From here, you can:
    • Click on View most attacked individuals to see an expanded view. This will take you to the Risk Analysis page.
    • Click on an individual to view Individual Risk Profile, Action Logs, and Events, in the same way as from Highest Risks.

      Action Logs and Events displays may or may not appear, depending on your installed Mimecast and third-party integrations.

In-App Human Risk Score Simulator

The Human Risk Score Simulator can provide organizations with an overview of how their organization's and individuals' human risk scores are calculated.

  • To access how an organization's risk score is calculated, you can click the Info-icon.
2026-06-05_14-59-07.png
  • This will give you a detailed explanation, including a formula for how the organization's human risk score is calculated.
  • Simulate organization human risk score will show you how your organization's risk score changes as you adjust the distribution of employees across risk levels.

Individual Risk Profile

The Individual Risk Profile page displays:

  1. The Profile Info tab shows the following information for the selected user:
  • Human Risk Score.
  • Score Trends Over Time.
  • Action Factor Score Breakdown.
  • Attack Factor.
  • It may also include the following, depending on your installed Mimecast Human Risk products and configured third-party integrations: 
    • Risk Responses.
    • Action Log.
  Individual Risk Profile
  1. The Action Log tab shows the actions your organization has taken in response to users' behavior, e.g., Nudges. You can also filter the data within this view.
  2. The Events tab shows events related to User Behavior, as well as Events Affecting the User, which we ingest from the security solutions we monitor. This includes, for example, a user clicking on a real phishing email and training that was assigned to the user. These are events that the user had control over and could interact with. You can also filter the data within this view.

The in-app Human Risk Scores Simulator for individual risk scores can be accessed after selecting the individual user and then clicking on the Help icon or Info-icon.

The individual Human Risk Score quantifies each person's risk based on their actions (where 0 is negligible to 10 is very high risk); lower is better. The scores are broken into risk levels. See also: Mimecast Human Risk Scoring

Ignoring Events

Administrators can now mark individual events to be ignored within the HRCC, classifying them as either a false positive or a benign event. This gives administrators direct control over which events contribute to user behavior risk scores and attack factor calculations. When events are excluded from scoring, HRCC data accurately reflects the behaviors and incidents that your organization considers genuinely risky.

Key behaviors of this feature:

  • Administrators can mark any individual event to be ignored directly from the HRCC event detail view, classifying it as a false positive or a benign event.
  • Ignored events are excluded from user behavior risk score calculations and attack factor metrics.
  • This capability extends to all supported HRCC behavior types, not only URL clicks in actual phishing simulations.
  • Marked events remain visible in the event log with a clear ignored indicator in the event details, preserving history while removing their scoring impact.

This action is not reversable. Administrators cannot unmark an ignored event to restore its contribution to scoring.

Risk Analysis

You can navigate to Risk Analysis by using the following steps:

  1. Log on to Human Risk Command Center.
  2. Navigate to Risk Analysis.
  3. The Risk Analysis page displays a table view of all users' risk and demographic information:

  1. On the Risk Analysis page, you can:
  • Scope the page via Table mode for selection to Individuals, Departments, or Locations.
  • Customize Columns: Full Name and Human Risk Score are displayed by default; you can also select additional columns, depending on which types of data are available for your account, as discussed above. This may include Email Address, Actual Phishing, Attack Factor, Malware, Simulated Phishing, and Training.

Additionally, you can select whether to Truncate long column values.

  Customize Risk Analysis columns
  • Search by name or Email.
  • Filter by column data; this enables you to filter your data-by-data type.
  • Sort by column data.
  • Click on an Individual to view more details. This will take you to the user's Individual Risk Profile page.

Risk Activity

The Risk Response Engine page has been renamed to the Risk Activity page.

Action Logs

You can navigate to the Action Logs by using the following steps:

  1. Log on to Human Risk Command Center.
  2. Navigate to Risk Activity | Action Logs.
  Action Logs  
  1. The Action Logs page displays a list of users who currently match a rule, e.g., have completed training on time in the past day, and includes:
  • Rule Name: The Rule Name; this is the same as the Nudge name.
  • Person Name: Name of the user.
  • Email: The user's Email address.
  • Action Taken: The action that was taken.
  • Action Status: Whether it was successful or not.
  • Executed On: The date the rule was executed.
  1. In the Action Logs page, you can:
  • Search the data by First Name, Last NameEmail, and Role.
  • Filter by column data; this enables you to filter specific values within the data.

      Action Logs filter
  • Sort by column data.
  • Click on a Person Name to view information for the Individual in more detail. This will take you to the user's Individual Risk Profile page.

Event Log

The Risk Activity page now includes an Event Log tab. This enables administrators to view events across all users in their organization from a single centralized view, without needing to navigate to individual user profiles.

Event Exclusion from HRCC Scoring

Event Exclusion allows HRCC administrators to manually flag individual risk events as either a false positive or ignored (benign), removing them from contributing to a user's Human Risk Score. This allows administrators to correct inaccurate scoring caused by events that are safe, expected, or irrelevant to their organization's risk posture.

Exclusion applies to events scored against the Human Risk Score or the Attack Factor. Remediation events themselves cannot be excluded.

Processing an Event Exclusion

Administrators can perform the exclusion process from two locations:

  • The Event Logs tab on an Individual Risk Profile (IRP) within the Risk Analysis page: for events associated with a specific user.
  • The Event Logs tab within the Risk Activity page: for events across all users.
  1. Log in to the Human Risk Command Center.
  2. Select the event in Event Logs tab in either the IRP Risk Analysis page or the Risk Activity page.
  3. Click the ellipses (...) on the event | View Details | Exclude Event | Mark as false positive or Ignore.
  4. Optionally, administrators can add a Comment (up to 512 characters) and select additional event fields to bulk-match similar historical events.
  5. Click Confirm.
  6. Select the newly remediated event in Event Logs and click the ellipses (...) to View Details.

Difference between "Mark as false positive" and "Ignore"

Classification Meaning When to use
Mark as false positive A detection failure: the system incorrectly classified harmless activity as malicious. Use when the event should never have been flagged (e.g., a know-safe tool triggering a malware alert)
Ignore (Benign) Exclude the event from scoring without treating it as a false positive. Use for expected or routine activity the organization does not consider a risk (e.g., a red team simulation, a training campaign with an incorrect due date).

 

See Human Risk Command Center - Event Exclusion from HRCC Scoring - FAQ for additional information.

Watchlists

Display of the information in this section depends on which Mimecast Human Risk Management products you own and third-party integrations you have configured, and for this information to be displayed, you need Engage Pro. The Watchlists that appear will depend on the Nudges that are enabled in Engage.

You can navigate to the Watchlists by using the following steps:

  1. Log on to Human Risk Command Center.
  2. Navigate to Risk Activity | Watchlists.
  3. The Watchlists page displays a list of Watchlists by Name and Description. This is a snapshot view of which of your users will receive Nudges, as the Names map to Nudge rules.
  Watchlists
  1. You can click on the Watchlist's Name to see a list of users' Names and Email addresses.
    The listed users are those who currently match the Watchlist criteria, i.e., if the corresponding Nudge were enabled, these users would receive it.
  Watchlist users

Settings

In the Settings area, you can manage which users are tracked by the Human Risk Command Center by specifying which will be included in the Scoring Group. You access the Settings area either as a new user from the group settings prompt described above or from the left navigation menu for the Human Risk Command Center.

On first use, the administrator will see a pre-selected user group and will be prompted to either confirm it or choose a different group.

In the Settings area, you can select and confirm your preferred Scoring Group.

To Configure User Groups, click on Go to Group Selection, which allows customers to use their own custom groups.
From there, select your preferred Directory Groups or Local Groups, and then click Add Groups.

Selecting your own User Groups will remove the pre-determined user permanently. This change is not reversible.

You can also Preview Group you've created to view the users that are within that group.

Currently, there is no method to exclude users being scored in the Human Risk Command Center from the Very High Risk Users (Risk Score = Very High) and Very High Attack Factor profile groups.

High Risk Adaptive Policies

To help provide actionability of the Human Risk Command Center data and support the creation of Adaptive Policies, Mimecast automatically creates two Profile Groups that help provide actionability of the Human Risk Command Center data. These groups are:

  • Very High Risk Users (Risk Score = Very High): users with a risk score greater than 8
  • Very High Attack Factor: users with an Attack Factor greater than 8

You cannot modify these groups directly (they are read-only), but you can view them using the standard Email Security - MX Profile Group management capabilities found in the Mimecast Administrative Console | Directories | Profile Groups. Group membership is updated every 4 hours.

Initially, these changes will not be reflected in the Action Log. This function is planned for a future update.

What can be done with the  Data in the Human Risk Command Center

The visibility provided by the Human Risk Command Center can help you determine what actions can help reduce the biggest risks faced by your organization.

A vast majority of risks can be reduced or eliminated by helping users change their behavior. Most of the risks introduced into your environment by users are non-malicious and unintentional. These are usually self-correctable. You can help users adjust their behavior by providing more targeted training focusing on the corrective actions they can take. Products such as Mimecast Engage provide out-of-the-box targeted training via Nudges that can give users specific reminders to help adjust their behavior.
In addition to user education and training, you can also use the information to take other actions that may involve process changes, policy changes, or technology changes. For instance, if you notice certain users are being targeted heavily by phishing campaigns (reflected via the Attack Factor score), you could choose to add those users to more aggressive email scanning or filtering policies. Or, if you find users who had malware detections (reflected by the Malware score and the Attack Factor score), you may choose to change EDR policies and settings to be more protective. Another example is that if you see that users are getting poor scores in sensitive data handling, you may choose to have more restrictive data security policies for those users. Mimecast's Incydr product can be used to monitor sensitive data movement and adjust policies that reduce the risk of accidental data leaks and data loss.

Similarly, other risks may be addressed by making other policy changes and communicating them to your end users. For example, you may choose to update the Acceptable Use Policy to address the appropriate use of AI tools. Or you may introduce process improvements, such as notifying a user manager when one of their employees has had a particularly egregious risk level and suggesting some steps to help adjust user behavior.

Several actions could be automated using orchestration tools to reduce workload on the security and compliance teams.

The high-risk Profile Groups mentioned above can help you focus on follow-up actions on this high-risk population. As these groups are self-adjusting, you can also use them as input to your automated actions.

These are just some of the ways you can use the unparalleled visibility provided by Mimecast's Human Risk Command Center to reduce the risk of your riskiest users and of your organization today.

Using the automatically configured Profile Groups mentioned above, you can set up Email Policies that are more restrictive or strict for members of these groups since these groups represent the most attacked and most risky users. Customers with Mimecast Incydr can mirror the members of these groups to Incydr Watchlists to enforce addition controls like Temporary Allow, or Upload blocking.

The Dashboard also presents trends over time, which is particularly beneficial for the Attack Factor. This feature helps you determine if your users are becoming more vulnerable to attacks. Conversely, it enables you to evaluate the effectiveness of your vulnerability management initiatives and review malware and other tools, indicating whether stronger preventive measures are needed.

Troubleshooting

If your Human Risk Dashboard is blank, with a message stating "Please wait while your data is provisioned", and you are not a new customer, your scoring group may be missing or invalid, especially if you are an Engage or Awareness Training customer. Please visit the Human Risk Settings page to review and manage the Human Risk Scoring groups.

See Also...

Was this article helpful?
7 out of 11 found this helpful

Comments

0 comments

Please sign in to leave a comment.