Engage - Human Risk Scorecards

Updated

This article explains Human Risk Scorecards in Engage, which provide a customizable Template featuring category-based risk breakdowns and historical comparisons. Scorecards are delivered via Scorecard Campaigns, to improve user engagement.

Overview

Scorecards in Engage are a move away from numeric risk scores, with opaque scoring models to relative risk levels (e.g. “High Risk”) with greater scoring transparency. This gives you greater flexibility to tailor communications, including content blocks and optional calls to action, reflecting best practices in enterprise security awareness programs.

Scorecards are easy to understand, with clear explanations and actionable insights, and provide the following:

  • Human Risk Score Dial: This shows each End User a relative risk level (Very Low, Low, Medium, High, or Very High). Removing raw numeric scores reduces confusion and focuses on actionable next steps.
  • Category-Based Risk Breakdown: End Users will see their riskiness broken down by behavior categories such as Actual Phishing, Simulated Phishing, Training, Malware, and Sensitive Data Handling.
  • Historical Comparison: This shows End Users month-over-month change to their risk score.
  • Score breakdown: Each behavioral block provides a clear breakdown of what user actions in the past month contributed to their risk level, reducing the need for security teams to answer repetitive questions.
  • Preview and CustomizationScorecards can be previewed within the application, customize email subjects and optional call to actions.
  • Template and Block Management: Scorecard configurations can be saved as a Scorecard Template. Enable/disable behavioral blocks as needed, ensuring communications are relevant and concise.
  • Broad Email Client Support: Scorecards render correctly in Microsoft Outlook (web, desktop, mobile), and Gmail (web, mobile).

Considerations

  • It is currently possible to create and edit only one Scorecard Template.
  • Scorecard Campaigns currently support one-time scheduling only.
  • Score breakdowns surface events in the past month that contributed to a user's risk score.

Prerequisites

  • You have an Engage license.
  • You have an Administrator role for Engage.
  • You have configured Safe Senders, to allow the automatic download of images (otherwise, images in Scorecards will not be displayed).
  • The Actual Phishing section in the Scorecard Template requires an integration with an existing email security solution, such as Mimecast, or Microsoft 365.
  • The Malware section in the Scorecard Template requires an integration with a third party anti-malware solution such as Crowdstrike.
    See CrowdStrike Integration Cloud Gateway and CrowdStrike Integration Cloud Integrated
  • The Sensitive Data Handling section in the Scorecard Template requires an integration with either Incydr, or a third party data loss prevention solution.
    See Incydr Ingestion Integration.

Configuring the Scorecard Template

You can configure the Scorecard Template, by using the following steps:

  1. Log in to Engage.

  2. Navigate to Scorecards | Templates.

      Scorecards Templates Navigation

  3. The Edit Template page is displayed:

    Engage - Scorecards

  1. Configure the Scorecard Template, by using the following sections:

    • Use the arrowhead in the top right of a section to collapse or expand it.
    • Use the Display toggle, to show or hide this sub-category in the Template Preview.
  • General Settings
    • Template Name: Enter a name (mandatory).
    • Template Description: Enter a description (mandatory).
  • Template Settings:
    • Email subject/title: Enter a subject / title (mandatory).
  • Per-category Settings:
    • Training.
    • Simulated Phishing.
    • Actual Phishing. 
    • Malware. 

    • Sensitive Data Handling.

      Use of the Malware and Sensitive Data Handling sections is dependent on specific integrations being configured correctly; see Considerations.

  • For each sub-section:
    • Use the Enable call to action toggle, to show or hide the call to action button, in the Preview Email pane.
    • Enter the call to action text.

    • Enter the call to action URL.

        Engage - Scorecards - Actions
  • Footer
    • FAQ Url link: Enter the link for your FAQ (optional).
      E.g. Link to internal policy documents, security resources, relevant organizational communications, etc.

    • Contact email address: Enter the contact email address (optional).
      E.g. Your organization's IT Support email address.

      • If neither of the fields are filled in, the Footer won't appear.
      • If the FAQ Url link is missing, the Footer will display "contact us at ____"
      • If the Contact email address is missing, the Footer will display "Read our FAQ."
  1. Further actions are available in the Edit Template screen:
  • Revert Changes: Lose the changes you've made.
  • Save: Save the changes to the Scorecard Template.

  • Preview Email: Preview the Scorecard Template email. This allows you to preview what an End User would see by searching by their email address, and includes each section that Display was toggled on for.

      Preview Scorecard Email
  • You can navigate back to Templates, to make and save further changes, as required.

Creating a Scorecard Campaign

You can create a Scorecard Campaign, by using the following steps:

  1. Log in to Engage.

  2. Navigate to Scorecards | Campaigns.

     Scorecard Campaigns Navigation

  3. The Campaigns screen is displayed, which:

    • Displays a graph showing Human Risk Score Trends Over Time. This defaults to a Date range of Past 12 months, and can be amended to select Past 3 months, or Past 6 months.
    • Lists your previously scheduled Scorecard Campaigns, including their Campaign Name, Status, Sent Date, and number of Recipients.
    • Allows you to Search for Scorecard Campaigns.
    Scorecards Campaigns screen
  4. To create a new Scorecard Campaign, click on New Campaign.

  5. In the Create New Campaign flyover, enter:

    • Campaign Name: Enter a name for the Scorecard Campaign.
    • Date: Enter the date to send the Scorecard Campaign on.
    • Time: Enter the date to send the Scorecard Campaign on.
    • Click on Next to continue, or Cancel, to close the flyover.
     Create New Campaign Details
  6. Select the required Recipient Groups (Active Directory or Local Groups) to add.
  7. Click on "x" next to a Selected Group, to remove it.

  8. Click on Next to continue, Back to return to the previous tab, or Cancel, to close the flyover.

     Create New Campaign Add Recipient Groups

    When evaluating Scorecards, it's recommended that you start by selecting a smaller test group, instead of sending to all users.

  9. Review the Scorecard Campaign details.

  10. Click on Schedule to continue, Back to return to the previous tab, or Cancel, to close the flyover.

     Create Campaign Configuration
  11. The Scorecard Campaign emails relevant End Users a Scorecard, to visualize their own risk levels and behaviors, broken down by categories specified in the Scorecard Template (e.g. Actual Phishing, Simulated Phishing, Training, Malware, and Sensitive Data Handling).

  12. Click on a Scorecard Campaign to see further details for it. This displays:

    • The Campaign Details (Email Launch Date & Time, Template, Emails Sent, Recipient Groups, Recipient List, Email Open Rate, and Created By).
    • The Emails Sent, (by Name, Email, Department, and Status).
    • A Search bar, for searching within the Emails Sent section.
    Scorecards Campaign Details
Q: Why are numeric risk scores being replaced with relative risk levels?
A: Numeric scores often lead to confusion and demands for transparency into scoring algorithms. By using relative levels (e.g. "High Risk"), the focus shifts to actionable feedback and behavior change, which is more effective for end users and aligns with industry best practices.
Q: What categories of risk will be shown in the scorecard?
A: Out of the box, scorecards will display risk levels for Actual Phishing, Simulated Phishing, and Training. Additional categories (Malware and Sensitive Data Handling) are available for customers who've integrated data sources for those behavior categories.
Q: Can I customize the look and content of scorecards?
A: Yes. You can customize the subject line, and optional calls to action. You can also enable/disable content sections.
Q: How will Scorecard Campaign performance be tracked?
A: Detailed statistics will be available, including the number of emails sent, recipients, open rates, and impact on Human Risk score over time.
Q: What email clients are supported?
A: Scorecards are designed to be compatible with Microsoft Outlook (web, desktop, mobile) and Gmail (web, mobile,) ensuring broad accessibility.
Q: Will users see how they compare to their peers or departments?
A: Not in the initial release. Future updates may include peer and departmental comparisons as additional data becomes available.
Q: Is internationalization supported?
A: Not in the initial release. The architecture is designed to support future translation and localization efforts.
Q: Can I create additional Scorecard Templates?
A: Not in the initial release. Future updates will include the ability to do so, and you'll be able to select the Scorecard Template required, when creating a new Scorecard Campaign.
Q: Is Branding supported?
A: Not in the initial release. Future updates will include the ability to do so.
Q: Can I schedule Scorecard Campaigns to be sent regularly, e.g. every first Monday of the month?
A: Not in the initial release. One-time scheduling only is supported, with recurring scheduling planned in the future.

See Also...

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

1 comment
Date Votes
  • Avatar
    Ben Smith

    Does this take time to populate as not seeing scorecards within engage

    0

Please sign in to leave a comment.