Understanding Risk Scores
Please find the two types of risk score methods and their calculations below:
How the Phish Risk Score Is Calculated?
Keepnet calculates the Phishing Risk Score for a campaign based on identified risky behaviors.
Here are some of the risky behaviors that we detect during phishing simulations and use in the calculation for phishing risk scores.
| Risk Behaviors | Secure | Low | Medium | High |
|---|---|---|---|---|
Reported Phishing | x |
|
|
|
Open Phishing Email |
| x |
|
|
Click Phishing URL |
|
| x |
|
MFA Code Sharing |
|
|
| x |
Data Submit on Phishing Page |
|
|
| x |
Open Attachment |
|
|
| x |
Answer Voice Phishing Call |
| x |
|
|
Share Sensitive Data on Voice Phishing Calls |
|
|
| x |
Give unauthorized access to the system on the phone |
|
|
| x |
Scan QR Code Phishing |
|
| x |
|
Reply to phishing SMS |
|
| x |
|
Suppose 100 individuals receive QR phishing emails, and 45 of them scan the QR code in the phishing email, this indicates that 45% of the employees engaged in a risky action. If 10 of those 45 individuals proceed to data submit on phishing page, the Phish Risk Score Percentage for that campaign would rise to 55%.
Here's a step-by-step explanation for calculating the Phish Risk Score Percentage:
Total Target Users: 100 employees receive a phishing email with a QR code to test their response to potential phishing threats.
Initial Response: 45 of these 100 employees scan the QR code, indicating a 45% initial failure rate due to this risky behavior.
Further Risky Action: Of those who scanned, 10 also submit data on the phishing page, demonstrating higher risk engagement.
Final Risk Score Calculation: Adding the submissions increases the Phish Risk Score to 55%. This metric illustrates the percentage of at-risk employees, aiding in targeted cybersecurity training and enhancements.
QR code phishing is used here as just one example; similar formulas can be applied to SMS, voice, callback, and email phishing simulations.
The usage of the Phishing Risk Score can be found in the Industry Benchmark report.
How is the Human Risk Score Calculated?
The Human Risk Score measures the percentage of users who exhibit risky behaviors during a phishing simulation.
Unlike the Phish Risk Score, which counts each specific risky action, the Human Risk Score only identifies whether any risky behavior occurred, not how many times it happened. This score simply reflects the proportion of users who demonstrated at least one risky action.
The user shows at least one of the following risky behaviors:
| Risk Behaviors | Secure | Low | Medium | High |
|---|---|---|---|---|
Reported Phishing | x |
|
|
|
Open Phishing Email |
| x |
|
|
Click Phishing URL |
|
| x |
|
MFA Code Sharing |
|
|
| x |
Data Submit on Phishing Page |
|
|
| x |
Open Attachment |
|
|
| x |
Answer Voice Phishing Call |
| x |
|
|
Share Sensitive Data on Voice Phishing Calls |
|
|
| x |
Give unauthorized access to the system on the phone |
|
|
|
|
Scan QR Code Phishing |
|
| x |
|
Reply to phishing SMS |
|
| x |
|
This percentage is calculated by dividing the number of simulations where the user showed risky behavior by the total number of phishing simulations they received.
For instance, if a user displays risky behavior in one of three simulations, their Human Risk Score Percentage is 33%.
| Target User | QR Phishing | Voice Phishing | SMS Phishing | Human Risk Score Formula | Human Risk Score (%) |
|---|---|---|---|---|---|
Alex | No | No | Yes | (1 / 3) * 100 | 33% |
Bob | Yes | Yes | No | (2 / 3) * 100 | 67% |
This table demonstrates whether each individual displayed risky behavior in each type of phishing campaign and calculates their overall Human Risk Score.
A higher Human Risk Score suggests that the individual is more susceptible to falling for social engineering attacks.
Last updated