Risk Scores

Virtual Risk Officer and Risk Score Guide

Our Virtual Risk Officer (VRO) feature provides actionable data and metrics to help you better understand your organization’s security strengths and weaknesses. You can use VRO to learn which users may be more vulnerable to phishing attacks and review the effectiveness of your security awareness training program.

VRO assigns dynamic Risk Scores to your users, groups, and organization. You can use these Risk Scores to make data-driven decisions for your organization's security.

For more information about VRO, click the links below or watch our Virtual Risk Officer (VRO) video.

What Is a Risk Score?

KnowBe4 records a unique Risk Score for each of your users, your groups, and your organization. The risk score for your individual users is known as their Personal Risk Score. These Personal Risk Scores are used to calculate the Risk Score for groups and for your organization.

You can see these scores throughout your console on various reports, user lists, and group lists.

How Is Personal Risk Score Determined?

The Personal Risk Score is a user’s individual Risk Score. Personal Risk Scores are calculated using a deep learning neural network that combines several different factors. Some of these factors are listed in the table below:

Risk Factors Description
Phish-prone Percentage How likely that a user will fall victim to a phishing attack. This percentage is based on the results of a phishing security test.
Security Awareness Training Status The type of training modules the user has completed and how much time the user has spent on the training.
Breach Data Whether or not the user’s information has been found in one or more data breaches through our Email Exposure Check (EEC Pro) tool. Breach information will be listed on the user’s timeline.
Job Function

A user’s job title may impact their Personal Risk Score.

Any user without a job title will have an average Job Function Risk Factor applied to their Risk Score.

For more information, see our How Does a Job title Impact Risk Scores? article.

User Risk Booster You can use the Risk Booster tool to manually boost a user’s Personal Risk Score. We recommend that you use the Risk Booster for high-risk users. For more information, see our Risk Boosters Guide.
Group Risk Booster

If you add a user to a group, the group’s Risk Booster may change the user’s Personal Risk Score.

If the user's Risk Booster is lower than the group’s Risk Booster, the group’s Risk Booster will be applied. When the group’s Risk Booster is applied, the user’s Personal Risk Score will change.

If you have added the user to multiple groups, the highest group Risk Booster will be applied.

Users with a Very Low Risk will not be impacted by a group’s Risk Booster.

For more information about Risk Boosters, see our Risk Boosters Guide.

Your users’ Personal Risk Scores may vary based on these factors. For example, users in the Accounting Department may have higher Personal Risk Scores than users in the Graphic Design Department. Users in the Accounting Department have access to sensitive financial information and are more likely to be targeted with phishing or social engineering attacks.

Similarly, a CEO may have a higher Personal Risk Score than a Marketing Director. Executives may have access to classified information about the organization and may be at greater risk of social engineering attacks.

All Personal Risk Scores are updated once per day. Scores recorded on previous days can’t be changed.

You can view a user's Personal Risk Score in several areas of your console, including the Users List on the Users tab, on individual user profiles, and on User Report Cards available in the KSAT Reporting Center.

Personal Risk Score Charts and Graphs

From the Users tab of your KSAT console, there are three different graphs that show a user's Personal Risk Score. To view these graphs for each user, navigate to the Users tab, then click the user’s name.

Click a tab below to learn more about each graph:

The Risk Score Scale provides a visual representation of the user’s calculated Personal Risk Score. This scale ranges from 0-100. See the table below for information about the colors on the Risk Score Scale and the corresponding Risk Scores:

Risk Score Scale Color Risk Score
 Green 0 - 20
Yellow 20.1 – 40
Dark Yellow 40.1 – 60
Orange 60.1 – 80
Red 80.1 - 100
Note: Users may have a Personal Risk Score of "0" if they haven’t received a phishing test or completed training assignments. A score of “0” will not strongly impact group and organization Risk Scores.

The Risk Factors radar chart shows which factors have the greatest impact on a user's Personal Risk Score.

The data on this chart is only relative to the other Risk Factors for this user. This data is not relative to Risk Factors for all the users in your organization. See the chart below for more information about each Risk Factor on the chart:


Custom Events

The user was included in at least one custom event that was imported into the console through the User Event API. The impact of the Custom Events Risk Factor varies depending on the risk level that you assigned to each custom event.

You have manually applied a Risk Booster to this user. This Risk Factor includes individual Risk Boosters and group Risk Boosters. Admins can edit the Risk Booster for users and groups.

The graph may show if a Risk Booster has been applied to the user, including a Normal Risk booster. If you would like to change this setting, you can apply a Very Low Risk booster to the user or group.


The user’s information has been found in one or more data breaches. If the user’s information has been found in a data breach, the user is more likely to experience phishing attacks or social engineering attacks. This score will decrease over time for older data breaches. Recent data breaches will have a stronger impact on the user's Exposure Risk Factor.

To see if a user’s information has been found in a data breach, navigate to the user’s timeline or the user’s User Report Card.

Job Function Users may have a higher Risk Score based on their job title. For more information, see our How Does a Job Title Impact Risk Scores? article.
Behavior The user has failed simulated phishing tests. If the user passes future phishing tests, the Behavior Risk Factor value will decrease.
Training The user has not completed their training or has not spent much time on their training. This factor will be high if the user has not completed their training but lower if the user has taken their training.

The Risk History line graph represents the change in the user’s Personal Risk Score over the past six months. You can hover your cursor over any point in the graph to view the user’s Personal Risk Score for that date.

Group Risk Scores

A group’s Risk Score is determined by the Personal Risk Scores of users within the group and calculated by mean squared error measurement, or MSE. This means that your group's Risk Score may not be an exact average of your users' Personal Risk Scores. For example, if there is a user in your group that has an unusually high Personal Risk Score compared to the rest of the group, MSE prevents that score from skewing the group's Risk Score.

The group’s Risk Score will change if users are added to or removed from the group and when the users’ Personal Risk Scores change. If changes are detected, the group’s Risk Score will be updated overnight. Risk Scores recorded in the past can’t be changed.

If you’d like, you can apply a Risk Booster to a group. For more information on how to apply a Risk Booster to a group, see our Risk Boosters Guide.

You can find the group's Risk Score in several areas of the console, including the group’s overview page, within individual group profiles, and on Group Report Cards.

Organization Risk Scores

Your organization’s Risk Score is determined by combining all your users’ Personal Risk Scores.

However, KnowBe4 uses mean squared error measurement, or MSE, to calculate your organization’s Risk Score. If a user has an unusual Personal Risk Score, MSE will prevent that user’s score from skewing the Risk Score for your organization. For example, a user with an unusually high Personal Risk Score will have less impact on your organization’s Risk Score. As a result, your organization’s Risk Score will not be an exact average of all users' Personal Risk Scores.

You can view your organization’s Risk Score on the Dashboard tab of your KnowBe4 console. In the Organization’s Risk Score section, you can view your organization’s Risk Score History graph and Risk Score scale. The Risk Score History graph displays your organization’s Risk Score over the last six months. Each data point on the graph represents your organization’s Risk Score at that specific point in time.

Dashboard: Organization Risk

Your organization's Risk Score changes when your users’ Personal Risk Scores change. The Risk Score will be updated overnight if changes are detected.

If Risk Score changes aren't detected, you will still see at least two data points added to your organization's Risk Score graph each month. If changes aren’t detected, these two points will still be added to show that the Risk Score remained the same for the month. If your organization’s Risk Score changes, a data point will be added overnight. You cannot manually change Risk Scores recorded on the graph.

You cannot apply a manual Risk Booster to your organization’s Risk Score.

How to Lower Risk Scores

You can lower Personal Risk Scores, group Risk Scores, and organization Risk Scores. For information about lowering these scores, see the sections below.

How to Lower Personal Risk Scores

Some users will always have a high Personal Risk Score based on their job title or other factors. However, users can take specific actions to lower their Personal Risk Score, such as completing security awareness training and not clicking phishing links in phishing emails.

A user’s Personal Risk Score will decrease when the user completes security awareness training assignments. We recommend that you assign training modules that cover a variety of security awareness topics, such as our KnowBe4 Security Awareness Training module. For more information about creating a training campaign, see our Creating and Managing Training Campaigns article.

A user’s Personal Risk Score will also decrease if they don’t click phishing links or open attachments in phishing emails. When users stop clicking simulated phishing links, they will decrease their Phish-prone Percentage. Decreasing the Phish-prone Percentage will also decrease the Personal Risk Score.

How to Lower Group and Organization Risk Scores

Your groups’ and organization’s Risk Scores will decrease as your users' Personal Risk Scores decrease. To see your organization’s Risk Score decrease over time, we recommend that you use a combined program of simulated phishing and security awareness training.

For the best results, we recommend that you follow an Automated Security Awareness Program (ASAP). This program will be customized to meet your organization’s needs and will help you stay on track with your security plan.

For more information, see our Best Practices Guide: How Do I Effectively Integrate KnowBe4 Into My Organization?. If you would like additional help, contact your Account Manager or Customer Success Manager.

Frequently Asked Questions (FAQs)

If I delete a training campaign or a phishing campaign, will my users’ Risk Scores be affected?

Previous Risk Scores will not be affected. However, if you delete a campaign today, your users’ Risk Scores for today’s date and future dates will be affected.

Are Security Hints and Tips and Scam of the Week campaigns included in my users’ Personal Risk Scores?

Yes, these campaigns are included in your users’ Personal Risk Scores. These campaigns will lower your users’ Personal Risk Scores because they do not contain phishing links for users to click. You should always hide these campaigns from reports. For more information, see our How to Hide a Phishing Campaign from Reports article.

Can I manually change a user’s Risk Score or a group’s Risk Score?

Yes, you can change a user’s Risk Score or a group’s Risk Score. For more information, see our Risk Booster Guide.

What time are Risk Scores updated?

Risk Scores are updated around 12:00 AM Eastern Standard Time (EST). This time may vary slightly.

How often is the VRO updated?

The VRO model is updated weekly. We also update this feature as needed to provide you with accurate information.

Why does my organization's Risk Score display a value of 0?

Your organization's Risk Score may not have been recorded yet. Risk Score values will be recorded at approximately 12:00 AM Eastern Standard Time (EST).

Can't find what you're looking for?

Contact Support