Virtual Risk Officer (VRO) and Risk Score Guide
Our Virtual Risk Officer (VRO) feature provides actionable insights and metrics to help you better understand the attack surface of your organization. You can learn which users might be more vulnerable to a phishing attack and review the effectiveness of your security awareness training program over time.
VRO provides dynamic Risk Scores—assigned to users, groups, and your organization as a whole—to help you make data-driven decisions for your organization's security.
Use the links below to navigate to a specific topic within this article or click here to see a quick video overview of this feature.
Jump to:
What is a Risk Score?
Personal Risk Scores
Group Risk Scores
Organization Risk Score
Risk Boosters
How to Lower Risks
FAQs
What is a Risk Score?
KnowBe4 records a unique Risk Score for your users, groups, and organization as a whole. These scores are displayed throughout the console on various reports, as well as your users and groups lists.
Each user has a Personal Risk Score. These Personal Risk Scores are used to calculate the Risk Score for groups and for the organization as a whole.
Personal Risk Scores
The Risk Score for a user, called the Personal Risk Score, is calculated by several different factors, including how likely the user is to be targeted with a phishing or social engineering attack, how they will react to these types of events, and how severe the consequences would be if they fell for an attack. It is normal for Personal Risk Scores to vary amongst users.
For example, the Personal Risk Score of employees in your Accounting Department will be higher than those of employees in the Graphic Design Department, because your Accounting Department has access to sensitive financial data. Similarly, your CEO or CFO will have a higher Risk Score than a Marketing Director, because your C-level executives may have access to classified or proprietary information about the organization.
All Personal Risk Scores are updated once per day, and scores that were recorded on previous days cannot be modified.
You can find a user's Personal Risk Score in several areas of the console, including the Users List on the Users tab, on individual user profiles, and on User Report Cards available in the Advanced Reporting Center.
What Influences Personal Risk Scores?
Personal Risk Scores are calculated using a proprietary deep learning neural network that combines a number of different factors. The factors include, but are not limited to, the below:
|
Risk Factors |
Description |
|
Phish-prone Percentage |
The likelihood of the user falling victim to a phishing attack—based on Phishing Security Test results. |
|
Security Awareness Training Status |
The type of training module(s) the user has completed and how much time they’ve spent in training. |
|
Breach Data |
The user’s information has been found in one or more data breaches through our Email Exposure Check tool. Breach information will be listed on the user’s timeline and individual User Report Card. |
|
Job Function |
Based on their job title, users with more responsibilities are assigned a higher Risk Score. Click here to learn more about how Job Titles impact Risk Scores. |
|
User Risk Booster |
A user’s Personal Risk Score can be boosted manually in their user profile through the Risk Booster. We recommend boosting the risk for very high-risk users. |
|
Group Risk Booster |
A user's Personal Risk Score can be impacted by the Group Risk Booster when added to a group. If the user's Risk Booster is lower than the Group Risk Booster, the Group Risk Booster will be applied to their Personal Risk Score. If the user is in multiple groups, the highest Group Risk Booster will be applied. Users with a Very Low Risk Booster will not be impacted by a Group Risk Booster. Meaning, their Personal Risk Score will remain the same |
See:
What is a deep learning neural network? Learn more here. (Opens in a new window)
Personal Risk Score Charts and Graphs
User profiles will include three different graphic reports to illustrate that user's Personal Risk Score. Click a tab below to learn more about that graph:
The Risk Score Scale provides a visual representation of the user’s calculated Personal Risk Score, which ranges from 0-100. The chart below outlines what score each color represents on this scale.
|
Risk Score Scale |
Color |
Risk Score |
|
|
Green |
0 - 20 |
|
Yellow |
20.1 – 40 |
|
|
Orange |
40.1 – 60 |
|
|
Red |
60.1 – 80 |
|
|
Dark red |
80.1 - 100 |
Note:
Personal Risk Scores of "0" indicate that not enough data exists for that user yet. This is normal for new users who have not yet been phished or trained and will not strongly affect your group and organization Risk Scores.
The Risk Factors radar chart (also known as a spider chart) indicates the factors that are most influencing this user's risk score.
The data here is relative only to the other factors for this user, not all of the users in your organization. See the chart below for more information on each Risk Factor.
|
Factor |
Description |
|
Custom Events |
The user was included in at least one custom event that was imported into the console through the User Event API. The impact of the Custom Events factor will vary depending on the risk level assigned to each custom event. |
|
Booster |
The user has a manual Risk Booster applied to them, either through their user profile or group membership. Admins can modify Risk Booster settings on both users and groups. Note that users with Normal Risk Boosters applied to them may still have some indication that this has boosted their Risk Score—this is intended behavior. A Very Low Risk Booster can be applied to the user or group to modify that. |
|
Exposure |
The user’s information has been found in one or more data breaches, increasing the likelihood they’ll be a target for phishing or social engineering attacks. This score will decrease over time for older breaches, while more recent breaches will have a stronger impact on the user's Exposure Risk. Breach information will be listed on the user’s timeline and individual User Report Card. |
|
Job Function |
Based on their job title, users with more responsibilities are assigned a higher Risk Score. Click here to learn more about how Job Titles impact Risk Scores. |
|
Behavior |
The user has failed simulated phishing tests. As phishing test failures are reduced, the impact of the Behavior factor on their Risk Score will also be reduced. |
|
Training |
The user has not completed or has not spent much time on security awareness training. Increasing the amount of training on security awareness-specific assignments will reduce the Training impact on the graph. |
The Risk History line graph represents the change in the user’s Personal Risk Score over the last six months. You can hover over any point to view the exact Risk Score for that date.
Risk Booster
What are Risk Boosters?
A Risk Booster is a setting that can be manually configured by admins on your account to intentionally increase or decrease the Risk Score of any user or group. Risk Boosters will always be set to Normal unless changed by an admin.
For details on how to modify Risk Boosters, as well as use cases, see our Risk Booster Guide.
Group Risk
A group inherits Risk Scores of the users within the group. You can find a group's Risk Score in several areas of the console, including on the Users > Groups tab, within individual group profiles, and on Group Report Cards, available in the Advanced Reporting Center.
Group Risk is calculated based on the Personal Risk Scores of users within the group. As a very basic example, a group containing two users--where one user has a Risk Score of 75 and the other has a Risk Score of 25—would have a risk score of 50.
However, this calculation will take outliers into consideration in order to avoid a skewed group score, using a mean squared error (MSE) measurement. This means that unusual user Risk Scores in the group (For example, extremely low or extremely high) will have less impact on the group Risk Score. As a result, your group Risk Scores will vary and will not be an exact average of all user Risk Scores in the group.
Group Risk Scores will update when users are added to or removed from groups or as the Personal Risk Scores of users within those groups change. Group risk scores are updated overnight if changes are detected. Risk Scores recorded in the past cannot be changed.
What is mean squared error (MSE)?
KnowBe4 uses a mean squared error (MSE) calculation for Risk Scores. Learn more about MSE here. (Opens in a new window)
Organization Risk
On the Dashboard tab of your console, the Risk Score graph will display your Organization’s Risk Score over the last six months. Each data point on the graph represents the organization’s Risk Score at that specific point in time.
Dashboard: Organization Risk
The overall Risk Score for your organization is a combination of the Personal Risk Scores of all users at your organization. The calculation will take outliers into consideration in order to avoid a skewed organization Risk Score, using a mean squared error (MSE) measurement. This means that unusual user Risk Scores in your organization (For example, extremely low or extremely high) will have less impact on the score. As a result, your organization Risk Score will vary and will not be an exact average of all of your users' Risk Scores.
What is mean squared error (MSE)?
KnowBe4 uses a mean squared error (MSE) calculation for Risk Scores. Learn more about MSE here. (Opens in a new window)
Your organization's Risk Score will update as the Personal Risk Scores of your users change. Organization Risk Scores are updated overnight if changes are detected.
If Risk Score changes aren't detected, you will still see at least two data points added to your organization's Risk Score graph each month. If your organization’s Risk Score changes, an additional data point will be added overnight. Risk Scores recorded in the past cannot be changed.
Your organization’s Risk Score does not have a manual Risk Booster.
How to Lower Risk
Lowering User Risk
Based on their job title and available breach data, some users will always have an elevated Personal Risk Score. However, there are some actions that can be taken by the user to help lower this score:
- Complete security awareness training regularly
- A user’s completion of security awareness training assignments will lower their Personal Risk Score. We recommend selecting training modules that are comprehensive and cover multiple facets of security awareness training.
- Here are examples of training modules that meet this need:
- Kevin Mitnick Security Awareness Training
- KnowBe4 Security Awareness Training
- Here are resources for how to set up training campaigns:
- Here are examples of training modules that meet this need:
- A user’s completion of security awareness training assignments will lower their Personal Risk Score. We recommend selecting training modules that are comprehensive and cover multiple facets of security awareness training.
- Watch out for red flags in phishing emails and become a human firewall for their organization (i.e. lower their Phish-prone Percentage)
- With a combined program of security awareness training and simulated phishing, your user can become a strong human firewall for your organization and prevent a successful phishing attack. Their Phish-prone Percentage indicates the likelihood they will fall for a phishing attack, based on previously-recorded behavior.
- Users can lower this by not clicking links, opening attachments, or otherwise failing simulated phishing exercises.
- The lower their Phish-prone Percentage, the lower their Personal Risk Score will be.
Lowering Group and Organizational Risk
The Risk Score of your groups and organization will lower as your users' risk score lowers. Ideally, with a combined program of simulated phishing and security awareness training, you will see your organization’s Risk Score lowered over time.
For the best results, we recommend following an Automated Security Awareness Program (ASAP) that has been customized for you to review best practices and stay on track with your security plan. You can also review our Best Practices Guide for similar insight into how best to run your KnowBe4 console. If you're not getting the results you'd like, reach out to your Customer Success Manager or account manager for assistance.
Frequently Asked Questions (FAQs)
Q: If I hide or delete a training or phishing campaign, will my user’s Risk Score be affected?
- A: Risk Scores in the past are fixed, so they will not be affected by the deletion of the campaign. If you delete a campaign today, however, your user’s Risk Score for today (and the future) will be affected.
Q: Are Security Hints and Tips and Scam of the Week campaigns included in a user’s Personal Risk Score?
- A: Yes, because these types of campaigns are sent from the Phishing area of the console, they will lower the risk of your users as they do not contain phishing links for users to click. You should always hide these campaigns from reports. Here is how.
Q: Can I manually change a user or group’s Risk Score?
- A: Yes! See our Risk Booster Guide for more information.
Q: What time are Risk Scores actually updated?
- A: Risk Scores are updated around 12:00 AM Eastern Standard Time (EST), but this time may vary slightly.
Q: How often is the VRO model updated?
- A: The VRO model is updated weekly and we make enhancements to this feature as needed throughout the year to provide you with the most accurate information.
Comments
0 comments
Article is closed for comments.