This article contains information on Human Risk Scoring for Engage Human Risk Scorecards. This assesses and reduces cybersecurity risks caused by human actions, using individual scores based on behaviors like phishing response and training completion to guide support and improvement efforts.
Overview
What is Human Risk Scoring?
Human Risk Scoring is a way for organizations to better understand where their greatest security risks come from—not from computers or systems, but from people. By looking at how employees interact with things like emails and assigned training, organizations can get a clearer picture of who might be more likely to accidentally cause a security problem, such as falling for a phishing email.
Your Human Risk Score is calculated based on the things you do, both good and bad, that contribute to your organization’s risk; for example, clicking on a phishing link (bad), not taking assigned training before the due date (bad), or reporting a phishing email (good). Your Human Risk Score rates the risk presented by your actions at one of five levels: Very Low, Low, Medium, High, and Very High.
Why is this Important?
Security isn’t just about technology; it’s also about people. Research shows that a small percentage of users are often responsible for most security incidents, like clicking on dangerous links or opening suspicious attachments. By identifying which employees are at higher risk, organizations can provide them with extra support or training and focus security efforts where they’re needed most.
How Does Human Risk Scoring Work?
Looking at User Actions: The Human Risk Score
- Good and Bad Behaviors: The system tracks both positive actions (like reporting a suspicious email) and risky behaviors (like clicking on a phishing link or skipping security training).
- Risk Scale: Each person gets a risk level between very low risk and very high risk. The lower your score, the better.
- Score Changes Over Time: If someone makes a mistake, their score goes up. If they do something good, or simply avoid risky actions for a while, their score can go down.
- Multiple Categories: The score isn’t just one number; it’s built from several categories, like how people handle phishing emails, malware, and training. Each category impacts your score more or less, depending on how important it is for security.
What Does This Mean for You?
- Personalized Attention: If your score is higher, it doesn’t mean you’re “bad”—it just means you might need more support or training.
- Focus on Prevention: The goal is to help people make safer choices and reduce the chances of a security incident, not to punish anyone.
- Continuous Improvement: As people learn and improve their habits, their scores can go down, reflecting positive change.
Key Takeaways
Human Risk Scores are designed to help organizations understand and reduce the risk from human actions in cybersecurity.
- Scores are based on real actions (both good and bad) and how often someone is targeted by attacks.
- The lower your score, the safer you’re considered.
- The system is about support and improvement, not blame.
If you have questions about your own score, remember: it’s a tool for your growth and the company’s safety—not a grade on your performance.
Comments
Please sign in to leave a comment.