In this article, you can find frequently asked questions about using KnowBe4's SmartRisk™ Engine and Risk Score feature. If you have additional questions that this article doesn't include, please submit a ticket to our support team support team (link opens in new window).
To learn more about Risk Score, see our SmartRisk™ Engine and Risk Score Guide.
General Information
For general information about SmartRisk™ Engine and Risk Score, see the questions and answers below:
- What is the SmartRisk™ Engine, and how does it enhance human risk management?
- How are the seven security types in Risk Score defined and calculated?
- What is the available range for Risk Score?
- What’s the difference between active and inactive risk factors?
- How often is Risk Score updated, and is it in real time?
- What are the differences between the new Risk Score and the legacy Risk Score?
What is the SmartRisk™ Engine, and how does it enhance human risk management?
The SmartRisk™ Engine is KnowBe4's new Risk Score system that provides you with dynamic and actionable data for your organization’s security posture. By tracking users’ risk behaviors and trends over time, you can tailor your security training and policies effectively and focus on your riskiest or safest security areas.
The SmartRisk™ Engine calculates Risk Scores for individual users, groups, and your organization as a whole. The calculation is based on risk factors or user events and behaviors. Risk factors include clicking phishing links, reporting phishing emails, and complying with security policies. Then, risk factors are categorized into security types. Risk factors can be active or inactive, showing you which user behaviors and user events are contributing to higher Risk Scores and which behaviors might indicate potential risk. With these detailed insights, you can pinpoint specific risk areas in your organization and specific users that need additional support or security awareness training.
How are the seven security types in Risk Score defined and calculated?
There are seven security types that represent different areas of user behavior and potential risk. Each security type contributes to a user’s or an organization’s overall Risk Score. These security types aggregate user events and behaviors that are classified as risky, secure, or mitigation. Here’s a sample of each security type, along with how they are defined and calculated:
| Security Type | Definition | Examples |
|---|---|---|
| Email Security | Evaluates risks based on a user's email-related actions |
|
| Endpoint Security | Focuses on risks arising from a user's interaction with their devices |
|
| Data Security | Assesses risks related to a user’s data handling and data sharing behaviors |
|
| Web Security | Measures the risks associated with a user’s online browsing and web-based actions |
|
| Account Hygiene | Evaluates the overall security practices around a user’s accounts |
|
| Compliance Electives | Reflects a user's engagement in compliance-related training |
|
| Physical Security | Measures the user’s engagement in security practices related to physical access and security |
Note:Currently, the only risk factor that contributes to this security type is security awareness training assignments regarding physical security. |
What is the available range for Risk Score?
The Risk Score available range indicates your level of risk, with zero being the least risky and 100 being the most risky. While the available range is between zero and 100, your range will never be below 10 or above 90.
We use a 10-90 scale to provide a realistic image of where your security stands and what you can improve. A score of 0–10 would imply near-perfect security, which is practically unattainable given evolving cybersecurity threats and potential unknown risks. Similarly, a score of 90–100 would suggest a catastrophic security posture, which isn’t typically accurate, even for high-risk organizations. By focusing on the 10-90 range, you get a practical range of risk that helps you prioritize improvements that will make a real difference in your security posture.
See the table below for the color and risk level breakdown of the available range.
| Color | Risk Score | Risk Level |
|---|---|---|
| Green | 10-40 | Low |
| Yellow | 41-47 | Medium |
| Orange | 48-53 | High |
| Red | 54-90 | Critical |
What's the difference between active and inactive risk factors?
Active factors are events from integrated KnowBe4 products that provide direct data for Risk Score calculations. Actions classified as risky increase Risk Scores, while secure actions decrease Risk Scores.
Inactive factors are used when data for a security type isn’t available, and the SmartRisk™ Engine applies a default risk value. The default risk value reflects a general risk level for the security type based on industry standards and potential threats. KnowBe4 assumes that user behavior in these types is risky, which can lead to a higher overall Risk Score.
How often is Risk Score updated, and is it in real time?
Risk Score is dynamically updated as new data becomes available, but is not strictly updated in real time. Risk Score is updated on a daily basis, and any risky, secure, or mitigation event will reflect on Risk Score in 24 hours at most.
The SmartRisk™ Engine continuously monitors and records risky, secure, and mitigation events across the different security types. Events from each integrated product are ingested into the Risk Score data pipeline daily, and when new data is received, an incremental adjustment is triggered in Risk Score. For example, if a user completes a security training module or clicks a phishing link, that action will affect their Risk Score within 24 hours after the event.
What are the differences between the new Risk Score and the legacy Risk Score?
See the chart below for some key differences between our SmartRisk™ Engine and Risk Score and our legacy Virtual Risk Officer (VRO) and Risk Score:
| Risk Domains | SmartRisk™ Engine and Risk Score | Virtual Risk Officer (VRO) and Risk Score |
|---|---|---|
| Data Integration | Integrates data from across KnowBe4's entire product suite | Primarily uses data from phishing tests, training activities, job titles, and data breaches |
| Manager Risk Score | Offers a hierarchical view with the Manager Risk Score report and a new Organizational Chart filter coming soon | Only available in the Learner Experience (LX) under the Team Dashboard |
| Benchmarking | Organization size and industry benchmarking are planned for late 2025 or early 2026 | Not applicable |
| Actionable Insights | Provides specific guidance for remediation plans based on security types and risk factors | Offers more general risk reduction recommendations |
| Reporting Capability | Emphasizes flexible reporting for improved stakeholder communication | Dashboard gauge and standard reporting options |
| Job Title | No longer a factor in the Risk Score calculation because it’s a static, non-remediable attribute, and the SmartRisk™ Engine utilizes actionable insights. | Evaluates risk based on organizational connection patterns |
| User and Group Booster | No longer a factor in the Risk Score calculation because risk boosters are manual adjustments that would compromise both the objectivity and universality factors of Risk Score. | Manually boosts a user’s Personal or Group Risk Score |
| Phish-prone Percentage | No longer a factor in the Risk Score calculation because the SmartRisk™ Engine uses the underlying user events that contribute to the Phish-prone Percentage.. | The percentage of your users who clicked on a simulated phishing link or opened an attachment during a phishing test |
Calculation
For more information about the calculation of Risk Score, see the questions and answers below:
- Why does my Risk Score go up or down?
- What are risky, secure, and mitigation events?
- What’s the new user bias?
- How do inactive factors affect my Risk Score?
- How do inactive factors affect my available range?
- How long do specific events impact a user's Risk Score?
- Are students included in my Risk Score calculation?
- Can I use my own LMS with Risk Score?
Why does my Risk Score go up or down?
Risk Score will increase or decrease based on specific risky or secure behaviors or mitigation events that are detected and logged by KnowBe4 products. These behaviors are categorized into seven security types representing different areas of security risk.
What are risky, secure, and mitigation events?
When you or your users engage in behaviors considered risky, the Risk Score goes up. Risky behaviors signal potential security vulnerabilities, so the score increases to reflect a higher level of risk. Examples of risky behaviors include phishing link clicks, weak password practices, malicious website visits, and malware detections on your device.
Engaging in secure behaviors will lower your Risk Score. Secure behaviors demonstrate proactive security awareness and compliance, so Risk Score adjusts your score to reflect reduced risk. Examples of secure behaviors include reporting phishing emails, completing security training, using strong passwords and multi-factor authentication, and using security tokens for physical security.
Mitigation events mitigate risk on previously recorded risky events. While risky events increase Risk Score, a later mitigation event reduces the impact of that risky event but doesn't completely offset it. Examples of mitigation events include SecurityTips from SecurityCoach, AIDA Remedial Training completions, and PasswordIQ vulnerability resolution events.
What's the new user bias?
When a new user is added to your KSAT console, a new user bias is applied to your active security types for the first 90 days. This temporary increase in Risk Score accounts for the higher risk associated with users who haven't yet completed security training or familiarized themselves with your organization's security policies.
When a new user has at least one secure action within a security type, such as completing a training module, passing a policy quiz, or reporting a phishing email via the PAB, the bias for that specific security type is removed in the next Risk Score calculation. If no secure actions are performed, the bias for that security type will be removed automatically after 90 days.
Users who proactively complete training or demonstrate secure behaviors during their first 90 days will see a more significant and immediate drop in their Risk Score compared to those who wait for the 90-day expiration.
How do inactive factors affect my Risk Score?
In Risk Score, inactive factors occur when your organization doesn't have certain KnowBe4 products or integrations set up. Inactive factors are data gaps in the security types. The SmartRisk™ Engine can't track user behavior because it lacks input from relevant security tools or products.
When there are inactive factors due to missing integrations or products, the SmartRisk™ Engine assumes that these areas could pose a security risk. As a result, Risk Score treats inactive factors as potentially risky, leading to a slightly higher Risk Score for those security types.
For example, if you don't have an integration that monitors endpoint security, the SmartRisk™ Engine can't track whether a user’s device has malware or other endpoint-related risks. This area will be considered inactive, and a slight risk will be factored in to account for potential threats.
How do inactive factors affect my available range?
If your organization has fewer KnowBe4 products and integrations, your available range will generally be narrower and higher. If your organization has more products enabled, like PasswordIQ or SecurityCoach, you can have a wider available range that better reflects true risk based on actual user behavior data.
The more integrations and active factors you have, the broader the SmartRisk™ Engine's understanding of user behavior across the different security types, allowing for a more accurate and potentially lower Risk Score.
How long do specific events impact a user's Risk Score?
The SmartRisk™ Engine has maximum and minimum event count limits that affect each area of your Risk Score. These limits help standardize the influence of risky and secure events on a user’s or organization’s overall Risk Score. Beyond the specific limit set by the SmartRisk™ Engine, any additional events won’t affect the Risk Score further. For example, the maximum count limit of the Phish Alert Button (PAB) is three.
The impact duration, or time-to-live (TTL) value, varies depending on the specific risk factor. For example, credential breaches related to email exposure checks have a 90-day TTL value, meaning the breach will no longer affect the Risk Score after 90 days. Similarly, for Personally Identifiable Information (PII) data breaches, the TTL value is 60 days.
These limits are set to maintain a balanced score that accurately reflects risk without excessive skew from repetitive actions.
Are students included in my Risk Score calculation?
If you’re using our KnowBe4 Student Edition feature, students will be included in your overall Risk Score calculation.
Can I use my own LMS with Risk Score?
Yes, you can use your own LMS with Risk Score. If your organization has LMS capabilities and we receive any training completion data, including data from KnowBe4, we'll track training data for everyone in your organization. However, if you use your own LMS but don't send us your training data through our User Event API, your Risk Scores will increase. Without your complete training data, your users will appear to have either incomplete or no training, which increases both individual Risk Scores and your organization's overall Risk Score.
Customization and Focus
For more information about the customization and focus of Risk Score, see the questions and answers below:
- Can I customize the weight of different security types or risk factors?
- Is there a way to focus on specific areas of risk?
Can I customize the weight of different security types or risk factors?
The weight of different security types or risk factors in your Risk Score isn't customizable. The calculation of the SmartRisk™ Engine aims to provide consistent, objective benchmarks across organizations, which could be compromised by custom weighting. This approach ensures that Risk Score benchmarks are universally comparable and prevents the potential misuse of altered weights to artificially lower Risk Scores without addressing real security concerns.
Is there a way to focus on specific areas of risk?
Using the Risk Score report, your organization can focus on specific areas of risk by viewing the security types and user behaviors in the areas of concern. For example, in the report, you can expand specific security types and view risk factors related to user behavior that may indicate a security concern.
Improving and Managing Risk Scores
For more information about improving and managing Risk Scores, see the questions and answers below:
- How can high-risk employees reduce their Risk Score?
- Does the SmartRisk™ Engine provide recommendations for improving Risk Scores?
- Can I access raw data or more detailed analytics behind my users' or my organization's Risk Scores?
How can high-risk employees reduce their Risk Score?
High-risk employees can reduce their Risk Score by engaging in security-positive actions. Completing assigned security training, using the Phish Alert Button (PAB) to report phishing emails, and receiving Security Tips all help to reduce your Risk Score. These actions help demonstrate security-aware behavior and reduce the overall Risk Score associated with risky employees.
Does the SmartRisk™ Engine provide recommendations for improving Risk Scores?
The SmartRisk™ Engine encourages secure behavior with prioritized training recommendations, showing you which actions will have the greatest security impact. General recommendations include reporting phishing attempts, consistently completing security awareness training, and actively engaging in compliance activities. Employees who participate in these secure behaviors and maintain good security practices around data, endpoint, and account hygiene will see improvements in their individual and organizational Risk Scores. Specific security insights are available through our Risk Score reports to provide actionable data on areas needing improvement.
Can I access raw data or more detailed analytics behind my users' or my organization's Risk Scores?
Currently, there is no direct access to raw data within the Risk Score reports. However, there are plans to make detailed analytics and underlying calculations available in future updates. The SmartRisk™ Engine provides comprehensive Risk Score reports that detail scores for different security types and associated risk factors. You can access these reports in your KSAT console by navigating to Reports > Risk Score Reports.
Risk Score and KnowBe4's APIs
- How do I retrieve my account risk history?
- Will the KnowBe4 User Event API be updated to work with Risk Score?
How do I retrieve my account risk history?
You can use our Reporting API to retrieve your account risk history. Your account will automatically transition to Risk Score, and your risk history data will continue to be available through the API.
Will the User Event API be updated to work with Risk Score?
Yes, the User Event API will work with Risk Score, but with important changes. For both GET operations (retrieving events) and POST operations (pushing events), the risk_level, risk_decay_mode, and risk_expire_date parameters will no longer be supported. These parameters were specific to our legacy Risk Score.
We've added a new factor field on the User Event API, which can be used to create new event types to register user training activities that will positively impact Risk Scores. These new factors are:
- training_completion_email_security
- training_completion_endpoint_security
- training_completion_data_security
- training_completion_web_security
- training_completion_account_security
- training_completion_compliance_electives
- training_completion_physical_security
These new factors allow you to record completion of security training across different risk domains, which will be factored into the Risk Score calculation.