Human Risk Command Center - Overview

Updated

This article contains information on using the Human Risk Command Center to identify and analyze Risky User Behaviors, manage Risk Responses, and navigate features like Risk Analysis, Action Logs, and Watchlist.

Overview

The Human Risk Command Center enables you to identify your riskiest users with unprecedented visibility. Leveraging data from your Mimecast security ecosystem provides a centralized view of human risk across your organization. 

This may include email security, data from other Mimecast human risk solutions such as Incydr or Engage, as well as data from any other configured third-party human risk integrations, such as CrowdStrike or Microsoft Defender endpoint security data. Dashboard data sources and risk data displayed depend on the scope of your integrations. The more integrations you install, the richer your scoring and dashboard will be, to more accurately portray the human risk in your ecosystem.  Within the Human Risk Command Center, you can carry out searches, basic filtering, and high-level Human Risk analysis.

Human Risk Command Center Navigation

You can navigate to the Human Risk Command Center by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. The Human Risk Command Center section entries will appear in the left navigation area, following the Analysis and Response entry.
  • When accessing the Human Risk Command Center for the first time, administrators may be prompted as follows. Which of these prompts, if any, you see depends on which Mimecast products you previously owned and configured.
  • Acceptance of privacy Terms & Conditions. This is mandatory for customers who have not accepted these specific privacy-related terms previously. These will open in a new page, and you will need to agree and click Get Started to continue.
  • If you would like to review the Terms & Conditions, these can be found on the Mimecast Contracts Page. For direct links, see:

HRCCTerms&ConditionsAccept.png

  • Scoring group selection. Customers who have not previously specified a security awareness training group, Mimecast Engage, or Mimecast Awareness Training will be prompted to select a risk scoring group Go to User Group Settings. The scoring group to be used can either be the pre-determined default group or a group you can specify. This selection is made in the Settings area. See more information in the Settings section below.

configureusergroups.png

  • Note: You can limit access to the Human Risk Command Center via the use of custom administrator roles.
    By default, roles include the "Human Risk" privilege. If you wish to limit HRCC access, you can create new role(s) or edit existing ones and remove the "Human Risk: Read" and/or "Human Risk: Edit" privilege(s), then assign your administrators to roles with limited or no Human Risk access if you choose.

Human Risk Command Center Operation

  1. The Human Risk Command Center contains these core sections: Human Risk Dashboard, Risk Analysis, Risk Response, and Settings.
  1. The Human Risk Dashboard displays:
  • Timeframe: This field allows you to select a Timeframe for your organization's Human Risk Command Center data of 3, 6, or 12 months.
  • Score trends over time: This displays the Human Risk score over time as well as the Risk Responses for some customers per above. Risk Responses are actions taken by Mimecast in response to user behavior. For Engage customers, this currently consists of Nudges, which are a type of Notification.  
  • Human Risk Score: This is based on your users' behavior and actions. This is calculated based on both the good actions (e.g., reporting a Phishing email) and the bad actions (e.g., clicking on a Phishing link) that your users take.
    See Human Risk Scoring.

  • Human Risk Behaviors: This measures how your users engage in risky behaviors in different categories. Categories that may appear, depending on your Mimecast product ownership and installed integrations, include: Actual Phishing, Simulated Phishing, Training and Malware. A list of available integrations can be found in the Integration Hub, located in the APIs and Integrations section of your administrative console. Also refer to API & Integrations.

    It's possible to View Details to see more information. Details include: Events Over Time, Individual Performance, Score Breakdown, and Latest Events.

  • Attack Factor: This displays how frequently your users are being attacked (e.g., being targeted by real phishing emails) compared to the rest of your organization. This does not contribute to the Human Risk Score because it is from external sources and out of your users' control. 
  • Highest Risks: This can show the highest-risk individuals, departments, and locations as well as their Human Risk score.
     From here you can:
    • Click on View all High Risk Individuals to see an expanded view. This will take you to the Risk Analysis page.
    • Click on Individual to view more detail. This will take you to the Individual Risk Profile.
  • Filtering by Departments or Locations will aggregate the scores for the selection made. Depending on the filter, you can also select one of the following options for an expanded view and be redirected to the Risk Analysis page.
    • View all high-risk individuals.
    • View all high-risk departments.
    • View all high-risk locations.                          
 
  • By clicking on the Department or Location, you will also be directed to the Risk Analysis page, where you can see the employees associated with that selection.
  • When clicking on each employee, you will be able to see the Individual Risk Profile of that employee.
  • The Individual Risk Analysis Profile also includes information on the Position, Department, Location and Manager of the selected individual
 
  • Most Attacked: This shows the most attacked individuals, as well as their associated Attack Factor. From here, you can:
    • Click on View most attacked individuals to see an expanded view. This will take you to the Risk Analysis page.

    • Click on an individual to view Individual Risk Profile, Action Logs, and Events, in the same way as from Highest Risks.

      Action Logs and Events displays may or may not appear, depending on your installed Mimecast and third-party integrations.

Individual Risk Profile

The Individual Risk Profile page displays:

  1. The Profile Info tab shows the following information for the selected user:
  • Human Risk Score.
  • Score Trends Over Time.
  • Action Factor Score Breakdown.
  • Attack Factor.
  • It may also include the following, depending on your installed Mimecast Human Risk products and configured third-party integrations: 
    • Risk Responses.
    • Action Log.
  Individual Risk Profile
  1. The Action Log tab shows the actions your organization has taken in response to users' behavior, e.g., Nudges. You can also filter the data within this view.
  2. The Events tab shows events related to User Behavior, as well as Events Affecting the User, which we ingest from the security solutions we monitor. This includes, for example, a user clicking on a real phishing email and training that was assigned to the user. These are events that the user had control over and could interact with. You can also filter the data within this view.
  Individual Risk Events

Risk Analysis

You can navigate to Risk Analysis by using the following steps:

  1. Log on to Human Risk Command Center.
  2. Navigate to Risk Analysis.
  3. The Risk Analysis page displays a table view of all users' risk and demographic information:

  1. On the Risk Analysis page, you can:
  • Scope the page via Table mode selection to Individuals, Departments, or Locations.
  • Customize Columns: Full Name and Human Risk Score are displayed by default; you can also select additional columns, depending on which types of data are available for your account, as discussed above. This may include: Email Address, Actual Phishing, Attack Factor, Malware, Simulated Phishing, and Training.

Additionally, you can select whether to Truncate long column values.

  Customize Risk Analysis columns
  • Search by name or Email.
  • Filter by column data; this enables you to filter your data by data type.
  • Sort by column data.
  • Click on an Individual to view more detail. This will take you to the user's Individual Risk Profile page. 

Risk Response Engine

Action Logs

You can navigate to the Action Logs by using the following steps:

  1. Log on to Human Risk Command Center.
  2. Navigate to Risk Response Engine | Action Logs.
  Action Logs  
  1. The Action Logs page displays a list of users who currently match a rule, e.g., have completed training on time in the past day, and includes:
  • Rule Name: The Rule Name; this is the same as the Nudge name.
  • Person Name: Name of the user.
  • Email: The user's Email address.
  • Action Taken: The action that was taken.
  • Action Status: Whether it was successful or not.
  • Executed On: The date the rule was executed on.
  1. In the Action Logs page, you can:
  • Search the data by First Name, Last NameEmail, and Role.

  • Filter by column data; this enables you to filter for specific values within the data.

      Action Logs filter
  • Sort by column data.
  • Click on a Person Name to view information for the Individual in more detail. This will take you to the user's Individual Risk Profile page.

Watchlists

Display of the information in this section depends on which Mimecast Human Risk Management products you own and third-party integrations you have configured, and for this information to be displayed, you need Engage. The Watchlists that appear will depend on the Nudges that are enabled in Engage.

You can navigate to the Watchlists by using the following steps:

  1. Log on to Human Risk Command Center.
  2. Navigate to Risk Response Engine | Watchlists.
  3. The Watchlists page displays a list of Watchlists by Name and Description. This is a snapshot view of which of your users will receive Nudges, as the Names map to Nudge rules.
  Watchlists
  1. You can click on the Watchlist's Name to see a list of users' Names and Email addresses.
    The listed users are those who currently match the Watchlist criteria, i.e., if the corresponding Nudge were enabled, these users would receive it.
  Watchlist users

Settings

In the Settings area, you can manage which users are tracked by the Human Risk Command Center by specifying which will be included in the Scoring Group. You access the Settings area either as a new user from the group settings prompt described above or from the left navigation menu for the Human Risk Command Center.

On first use, the administrator will see a pre-selected user group and will be prompted to either confirm it or choose a different group.

In the Settings area, you can select and confirm your preferred scoring group.

To Configure User Groups, click on Go to Group Selection, which allows customers to use their own custom groups.
From there, select your preferred Directory Groups or Local Groups, and then click Add Groups.

Selecting your own User Groups will remove the pre-determined user permanently. This change is not reversible.

You can also Preview Group you’ve created to view the users that are within that group.

Currently, there is no method to exclude users being scored in the Human Risk Command Center from the Very High Risk Users (Risk Score = Very High) and Very High Attack Factor profile groups.

High Risk Adaptive Policies

To help provide actionability of the Human Risk Command Center data and support the creation of Adaptive Policies, Mimecast automatically creates for you two Profile Groups that help provide actionability of the Human Risk Command Center data. These groups are:

  • Very High Risk Users (Risk Score = Very High): users with a risk score greater than 8
  • Very High Attack Factor: users with an Attack Factor greater than 8

You cannot modify these groups directly (they are read-only), but you can view them using the standard Cloud Gateway Profile Group management capabilities found in the Mimecast Administrative ConsoleDirectories | Profile Groups. Group membership is updated every 4 hours.

Initially, these changes will not be reflected in the Action Log. This function is planned for a future update.

What can be done with the  Data in the Human Risk Command Center

The visibility provided by the Human Risk Command Center can help you determine what actions can help reduce the biggest risks faced by your organization.

A vast majority of risks can be reduced or eliminated by helping users change their behavior. Most of the risks introduced into your environment by users are non-malicious and unintentional. These are usually self-correctable. You can help users adjust their behavior by providing more targeted training focusing on the corrective actions they can take. Products such as Mimecast Engage provide out-of-the-box targeted training via Nudges that can give users specific reminders to help adjust their behavior.
In addition to user education and training, you can also use the information to take other actions that may involve process changes, policy changes, or technology changes. For instance, if you notice certain users are being targeted heavily by phishing campaigns (reflected via the Attack Factor score), you could choose to add those users to more aggressive email scanning or filtering policies. Or, if you find users who had malware detections (reflected by the Malware score and the Attack Factor score), you may choose to change EDR policies and settings to be more protective. Another example is that if you see that users are getting poor scores in sensitive data handling, you may choose to have more restrictive data security policies for those users. Mimecast’s Incydr product can be used to monitor sensitive data movement and adjust policies that reduce the risk of accidental data leaks and data loss.

Similarly, other risks may be addressed by making other policy changes and communicating them to your end users. For example, you may choose to update the Acceptable Use Policy to address the appropriate use of AI tools. Or you may introduce process improvements, such as notifying a user’s manager when one of their employees has had a particularly egregious risk level, and suggesting some steps to help adjust user behavior.

Several actions could be automated using orchestration tools to reduce workload on the security and compliance teams.

The high-risk Profile Groups mentioned above can help you focus follow-up actions on this high-risk population. As these groups are self-adjusting, you can also use them as input to your automated actions.

These are just some of the ways you can use the unparalleled visibility provided by Mimecast’s Human Risk Command Center to reduce the risk of your riskiest users and of your organization as a whole today.

In particular, using the automatically configured Profile Groups mentioned above, you can set up Email Policies that are more restrictive or strict for members of these groups since, these groups represent the most attacked and most risky users. Customers with Mimecast Incydr can mirror the members of these groups to Incydr Watchlists to enforce addition controls like Temporary Allow, or Upload blocking.

The Dashboard also presents trends over time, which is particularly beneficial for the Attack Factor. This feature helps you determine if your users are becoming more vulnerable to attacks. Conversely, it enables you to evaluate the effectiveness of your vulnerability management initiatives and review malware and other tools, indicating whether stronger preventive measures are needed.

Troubleshooting

We currently support human risk management exclusively for manual and directory sync users; this feature is not available for users classified as message in transit.

If your Human Risk Dashboard is blank, with a message stating "Please wait while your data is provisioned", and you are not a new customer, your scoring group may be missing or invalid, especially if you are an Engage or Awareness Training customer. Please visit the Human Risk Settings page to review and manage the Human Risk Scoring groups.

See Also...

Related to

Was this article helpful?
2 out of 6 found this helpful

Comments

0 comments

Please sign in to leave a comment.