Email Security - API - Mimecast Human Risk Scoring

Updated March 04, 2026 23:11

This article contains information on Mimecast's Human Risk functionality, which uses Human Risk Scores and Attack Factors to assess and mitigate security risks posed by user actions and attack frequency. It is intended for Administrators.

Introduction

4% of users cause 80% of phishing incidents and 3% of users cause 92% of malware incidents. So what do we do about it?
Mimecast’s Human Risk functionality takes data already available in your security solutions and provides your security leaders with the insight needed to identify the most likely source of the next security breach and prevent it from happening. This is made possible through the Human Risk Score (HRS). The HRS enables your organization to make informed decisions and enhance your security posture by shining a light on the human attack surface presented by your workforce.

Human Risk is split into two components:

The Human Risk Score, which reflects the risk presented by the actions users take.
The Attack Factor, which represents how much a user is attacked.

The scope of Human Risk, and the associated scoring, will expand as data sets are increased, in later releases.

Human Risk Score

The Human Risk Score is calculated based on the things users do, both good and bad, that contribute to your organization’s risk; for example, clicking on a phishing link (bad), not taking assigned training before the due date (bad), or reporting a phishing email (good). The Human Risk Score rates the risk presented by your users' actions in a range of 0 (negligible risk) to 10 (very high risk). Scores do not fall outside the range this range.

The overall Human Risk Score is a composite of scores covering different categories of items users may interact with. Like the Human Risk Score, these scores have a range of 0 to 10, with 0 being very low risk and 10 being very high risk. Events that contribute to these categories are ingested from your solutions that have been connected to the Human Risk platform.

Not all ingested events are scored.

Initially, the factors that make up the Human Risk Score will be Actual Phishing, Simulated Phishing, and Training, sourced from our Secure Email solutions and Engage.

Each component of the Human Risk Score is a running tally, where events indicating bad behavior increase the score, and events indicating good behavior decrease the score (remember, the closer a score is to 0, the better the score is). The scoring is done using one of two methods: simple or recoverable.

Simple Scoring

The categories that use this type of scoring are Simulated Phishing and Training.

Score Calculation Example: Simulated Phishing

A user is sent simulated phishing emails during three phishing simulation campaigns. In response to the campaigns, they take the following actions:

Campaign 1: Opened, Clicked, Compromised (the user entered information on the linked webpage).
Campaign 2: Opened, Clicked.
Campaign 3: Opened, Reported.

Resulting Score (Remember, lower scores are better scores; points for individual events may not be the points used in the product):

Starting Score: 0
After Campaign 1: 2 (0 [start score] + 2 [points added from “compromise”])
After Campaign 2: 3 (2 [prior score] + 1 [points added from click])
After Campaign 3: 1 (3 [prior score] - 2 [points removed due to reporting])

Recoverable Scoring

With recoverable scoring, a user’s score recovers (i.e. is reduced) by a small amount each day; the system doesn’t process any score-impacting events for that user.
For example, in Actual Phishing, the score would recover on each day the system doesn’t see any click, compromised, or reported events. Recoverable scores are set so that a user with a score of 10 would eventually reach a score of 0 after 357 days, if no events were detected. The scores recover 10/365 (0.028) points each day; there isn't an event, which means full recovery happens in 357 days.

Calculating the Human Risk Score

The Human Risk Score consists of a weighted average of the component categories. The categories are weighted based on their impact on risk – the greater the weight, the greater the impact.
The table below shows the categories and their weights:

Category	Weight
Actual Phishing	3
Malware	3
Sensitive Data Handling	3
Simulated Phishing	2
Training	1

The formula for calculating a user’s Human Risk Score is:

Example 1

User A has the following scores: Actual Phishing = 2.3, Simulated Phishing = 4.0, and Training = 0.0. Using the weights for the categories given above:
Human Risk Score = ((3 x 2.3) + (2 x 4.0) + (1 x 0.0)) / (3 + 2 + 1)
= (6.9 + 8 + 0) / 6
= 14.9 / 6
= 2.5 (2.48 rounded)

Example 2

User B has the following scores: Actual Phishing = 0.0, Simulated Phishing = 2.0, and Training = 8.0. Using the weights for the categories given above:
Human Risk Score = ((3 x 0.0) + (2 x 2.0) + (1 x 8.0)) / (3 + 2 + 1)
= (0 + 4 + 8) / 6
= 12 / 6
= 2.0

Even though User B's Training score is twice as bad as any score User A has, they still have the better Human Risk Score, because of the weight given to the different categories

Example 3

User C has the following scores: Actual Phishing = 1.0, Simulated Phishing = 4.0, Malware = 7.5, and Training = 8.0. Using the weights for the categories given above:

Human Risk Score = ((3 * 1.0) + (2 * 4.0) + (3 * 7.5) + (1 * 3.0)) / (3 + 2 + 3 + 1)
= (3 + 8 + 22.5 + 3) / 9
= 36.5 / 9
= 4.1

Attack Factor

Attack Factor measures how frequently employees are attacked compared to others. Emails categorized as SPAM or UNWANTED (configurable user/admin blocks) are not included.
Like the Human Risk Score, Attack Factor values range between 0 and 10. This is communicated via five levels: Very Low, Low, Medium, High, and Very High.

We measure the attack rate based on the following events:

Actual Phishing:

- Phishing email blocked.
- Phishing email delivered.

Malware:

- Blocked
- Downloaded
- Download_attempted
- Executed

Attack scores are relative. An individual who is the target of 100 phishing emails (whether or not they are delivered) will have a higher score than someone who is targeted by five phishing emails.

Calculating Attack Factor

At the end of each day, a summary report is generated for each tenant containing basic statistics like min, max, standard deviation, and mean of the number of attack events against all their employees.

Then each employee is given a daily intermediate score based on how they compare to their coworkers. We use the z_score for this, which is how many standard deviations from the norm the employee is, and is calculated as:

z_score = (employee_attacks - average_tenant_attacks) / tenant_standard_deviation

Anyone with a z_score <= -2 will have an daily intermediate score of 0.
Anyone with a z_score >= to 2 will have a daily intermediate score of 10.
Everyone else will have a daily, score of 5 x (z_score + 2) / 2 which will give them a score distributed between 0 and 10 based on their attack numbers

A 30-day rolling average of their daily intermediate scores is calculated to generate their actual attack score. The resulting score reflects how attacked the employee is compared to their colleagues, with consideration for recent data while still giving weight to changes in the last few weeks.

Whenever stale data (data from a day before the one currently being scored) is ingested within our scoring window, we will update tenant summaries, daily intermediate scores, and attack scores that are impacted.