Virtual Risk Officer (VRO) and Risk Score Guide
Jump to:
Introduction
What is a risk score?
User risk
Group risk
Organization risk
Risk Boosters
How to lower risk
FAQs
Introduction to Virtual Risk Officer (VRO)
KnowBe4’s Virtual Risk Officer (VRO) feature provides insight and actionable metrics that will allow you to understand the attack surface of your organization, learn what users might be more vulnerable to a phishing attack, and check in on the effectiveness of your security awareness training program over time.
VRO provides dynamic risk scores, assigned to users, groups, and your organization as a whole, which enable you to make data-driven decisions when it comes to your security awareness plan and understand what users are the most susceptible to a phishing attack.
To see a quick video overview of this feature, click here.
Example of an organization's risk score, displayed on the Dashboard tab:
What is a risk score?
KnowBe4 records a unique risk score for your users, groups, and organization as a whole. These scores are displayed throughout the console on various reports, as well as your users and groups lists.
Each user will have a Personal Risk Score. The risk score for your groups and your organization is a calculation based on the Personal Risk Scores of all of the members of that group or organization.
User Risk: Personal Risk Score
Jump to:
What is the Personal Risk Score?
What influences Personal Risk Scores?
Where to view Personal Risk Scores
Personal Risk Score Charts and Graphs
What is the Personal Risk Score?
The risk score for a user, called the Personal Risk Score, is calculated by several different factors (detailed in the next section), including how likely the user is to be targeted with a phishing or social engineering attack, how they will react to these types of events, and how severe the consequences would be if they fell for an attack.
For example, the Personal Risk Score of employees in your Accounting Department will be higher than those of employees in the Graphic Design Department, because your Accounting Department has access to sensitive financial data. Similarly, your CEO or CFO will have a higher risk score than a Marketing Director, because your C-level executives may have access to classified or proprietary information about the organization.
All Personal Risk Scores are updated once per day, and scores that were recorded on previous days cannot be modified.
What influences Personal Risk Scores?
Personal Risk Scores are calculated using a proprietary deep learning neural network that combines a number of different factors. The factors include, but are not limited to, the below:
|
Risk Factors |
Description |
|
Phish-prone Percentage |
How the user has responded to simulated phishing emails. |
|
Security Awareness Training Status |
The type of training module(s) the user has completed and how much time they’ve spent in training. |
|
Breach Data |
The user’s information has been found in one or more data breaches. Breach information will be listed on the user’s timeline and individual User Report Card. |
|
Job-related Risk |
Those with access to sensitive information will be considered a higher risk based on their job title. |
|
User Risk Booster |
The user’s Personal Risk Score can be boosted manually in their user profile through the Risk Booster. We recommend boosting the risk for very high-risk users. |
|
Group Risk Booster |
If the user is a member of a group that has a Risk Booster applied to it, their Personal Risk Score will be affected. This setting can be adjusted per group, but if a user is in multiple groups, only the highest Risk Booster will apply. |
See:
What is a deep learning neural network? Learn more here. (Opens in a new window)
Where to view a user's Personal Risk Score
You can find a user's Personal Risk Score in several areas of the console, including the All Users list on the Users tab, within their individual user profiles, and on their User Report Cards, available in the Advanced Reporting Center.
Personal Risk Score Charts and Graphs
User profiles will include three different graphic reports to illustrate that user's Personal Risk Score. Click below to learn more about each:
User Risk: Personal Risk Score Scale
The Personal Risk Score Scale provides a visual representation of the user’s calculated Personal Risk Score, which ranges from 0-100.
Below is an example of this graph, as well as what each color represents in terms of Personal Risk Score.
|
Example of Personal Risk Score Scale |
Color |
Risk Score |
|
|
Green |
0 - 20 |
|
Yellow |
20.1 – 40 |
|
|
Orange |
40.1 – 60 |
|
|
Red |
60.1 – 80 |
|
|
Dark red |
80.1 - 100 |
Note:
Personal Risk Scores of "0" indicate that not enough data exists for that user yet. This is normal for new users who have not yet been phished or trained and will not strongly affect your group and organization risk scores.
User Risk: Risk Score - Last 6 Months
This line graph represents the change in the user’s Personal Risk Score over the last six months.
Example of Risk Score - Last 6 Months
User Risk: Risk Score Factors Chart
The Risk Score Factors radar chart (or spider chart) indicates the factors that are most influencing your user's risk score. The data here is relative only to the other factors for this user, not all users in your organization.
Example of Risk Score Factors Chart
|
Risk score factors in chart: |
What it indicates: |
|
Custom Events |
The user was included in at least one custom event that was imported into the console through the User Event API. The impact of the Custom Events factor will vary depending on the risk level assigned to each custom event. |
|
Booster |
The user has a manual Risk Booster applied to them, either through their user profile or group membership. Admins can modify Risk Booster settings on both users and groups. Note that users with "Normal" Risk Boosters applied to them may still have some indication that this has boosted their risk score—this is intended behavior. A "Low Risk" Risk Booster can be applied to the user or group to modify that. |
|
Exposure |
The user’s information has been found in one or more data breaches, increasing the likelihood they’ll be a target for phishing or social engineering attacks. This score will decrease over time for older breaches, while more recent breaches will have a stronger impact on the user's Exposure Risk. Breach information will be listed on the user’s timeline and individual User Report Card. |
|
Job Function |
The user’s job title indicates they may be a privileged user or may have access to sensitive information. Because the impact of a successful attack would be more severe, their risk score is higher. |
|
Behavior |
The user has failed simulated phishing tests. As phishing test failures are reduced, the impact of the Behavior factor on their risk score will also be reduced. |
|
Training |
The user has not completed or has not spent much time on security awareness training. Increasing the amount of training on security awareness-specific assignments will reduce the Training impact on the graph. |
Risk Booster
What are Risk Boosters?
A Risk Booster is a setting that can be manually configured by admins on your account to intentionally increase or decrease the risk score of any user or group. Risk Boosters will always be set to "Normal" unless changed by an admin.
For details on how to modify Risk Boosters, as well as use cases, access our How to Modify User or Group Risk Boosters document.
Group Risk
Groups inherit the overall risk of the users within the group. You can find a group's risk score in several areas of the console, including on the Users > Groups tab, within individual group profiles, and on Group Report Cards, available in the Advanced Reporting Center.
Group Risk: Groups List on Users & Groups tab
Group Risk: Group Profiles
Group Risk: Group Report Cards in the Advanced Reporting Center
How is group risk calculated?
Group risk is calculated based on the Personal Risk Scores of users within the group. As a very basic example, a group containing two users--where one user has a risk score of 75 and the other has a risk score of 25—would have a risk score of 50.
However, this calculation will take outliers into consideration in order to avoid a skewed group score, using a mean squared error (MSE) measurement. This means that unusual user risk scores in the group (For example, extremely low or extremely high) will have less impact on the group risk score. As a result, your group risk scores will vary and will not be an exact average of all user risk scores in the group.
Group risk scores will update when users are added to or removed from groups or as the Personal Risk Scores of users within those groups change. Group risk scores are updated overnight if changes are detected. Risk scores recorded in the past cannot be changed.
What is mean squared error (MSE)?
KnowBe4 uses a mean squared error (MSE) calculation for risk scores. Learn more about MSE here. (Opens in a new window)
Organization risk
On the Dashboard tab of your console, the Risk Score graph will display your Organization’s Risk Score over the last six months. Each data point on the graph represents the organization’s risk score at that specific point in time.
Dashboard: Organization Risk
The overall risk score for your organization is a combination of the Personal Risk Scores of all users at your organization. The calculation will take outliers into consideration in order to avoid a skewed organization risk score, using a mean squared error (MSE) measurement. This means that unusual user risk scores in your organization (For example, extremely low or extremely high) will have less impact on the score. As a result, your organization risk score will vary and will not be an exact average of all of your users' risk scores.
What is mean squared error (MSE)?
KnowBe4 uses a mean squared error (MSE) calculation for risk scores. Learn more about MSE here. (Opens in a new window)
Your organization's risk score will update as the Personal Risk Scores of your users change. Organization risk scores are updated overnight if changes are detected.
If risk score changes aren't detected, you will still see at least two data points added to your organization's risk score graph each month. If your organization’s risk score changes, an additional data point will be added overnight. Risk scores recorded in the past cannot be changed.
Your organization’s risk score does not have a manual Risk Booster.
How to lower risk
Lowering user risk
Based on their job title and available breach data, some users will always have an elevated Personal Risk Score. However, there are some actions that can be taken by the user to help lower this score:
- Complete security awareness training regularly
- A user’s completion of security awareness training assignments will lower their Personal Risk Score. We recommend selecting training modules that are comprehensive and cover multiple facets of security awareness training.
- Here are examples of training modules that meet this need:
- Kevin Mitnick Security Awareness Training
- KnowBe4 Security Awareness Training
- Here are resources for how to set up training campaigns:
- Here are examples of training modules that meet this need:
- A user’s completion of security awareness training assignments will lower their Personal Risk Score. We recommend selecting training modules that are comprehensive and cover multiple facets of security awareness training.
- Watch out for red flags in phishing emails and become a human firewall for their organization (i.e. lower their Phish-prone Percentage)
- With a combined program of security awareness training and simulated phishing, your user can become a strong human firewall for your organization and prevent a successful phishing attack. Their Phish-prone Percentage indicates the likelihood they will fall for a phishing attack, based on previously-recorded behavior.
- Users can lower this by not clicking links, opening attachments, or otherwise failing simulated phishing exercises.
- The lower their Phish-prone Percentage, the lower their Personal Risk Score will be.
Lowering group and organizational risk
The risk score of your groups and organization will lower as your users' risk score lowers. Ideally, with a combined program of simulated phishing and security awareness training, you will see your organization’s risk score lowered over time.
For the best results, we recommend following an Automated Security Awareness Program (ASAP) that has been customized for you to review best practices and stay on track with your security plan. You can also review our Best Practices Guide for similar insight into how best to run your KnowBe4 console. If you're not getting the results you'd like, reach out to your Customer Success Manager or account manager for assistance.
Frequently asked questions (FAQs)
Q: If I hide or delete a training or phishing campaign, will my user’s risk score be affected?
A: Risk scores in the past are fixed, so they will not be affected by the deletion of the campaign. If you delete a campaign today, however, your user’s risk score for today (and the future) will be affected.
Q: Are Security Hints and Tips and Scam of the Week campaigns included in a user’s Personal Risk Score?
A: Yes, because these types of campaigns are sent from the Phishing area of the console, they will lower the risk of your users as they do not contain phishing links for users to click. You should always hide these campaigns from reports. Here is how.
Q: Can I manually change a user or group’s risk score?
A: Yes! For users, you can use our Risk Booster feature within their profile to lower or raise their score. For groups, you'll be able to change the Risk Booster while editing the Group settings. See below for instructions:
Instructions for modifying a Risk Booster can be found here. All users and groups will have "Normal" Risk Boosters by default.
Boosters will not be stacked. Meaning, the user will receive only the highest Risk Booster applied to them (whether from their personal profile or a group that they’re a member of).
Q: What time are risk scores actually updated?
A: Risk scores are updated around 12:00 AM Eastern Standard Time (EST), but this time may vary slightly.
Comments
0 comments
Article is closed for comments.