Human Risk Scoring
A live 0–100 score per employee. Lower is better.
Score drives remediation triggers, not manager judgment. Leadership sees the org-level signal; individuals see a private dashboard. The program never punishes failure — it redirects it.
Score Components
- Phishing click rate35%
Primary negative indicator. Single highest-weight factor.
- Report rate (phish button usage)25%
Primary positive indicator. High reporters score well even with occasional clicks.
- Training completion velocity20%
On-time completion reduces score. Late completions increase it.
- Quiz performance15%
Average score across all knowledge checks. Scenario-based only.
- Improvement trend5%
Bonus credit for consistent improvement over rolling 90-day window.
Risk Tiers & Response
- LOW0–30
Standard curriculum. Recognized in monthly digest. No intervention required.
- MEDIUM31–60
Additional micro-modules assigned on weak areas. Increased sim frequency.
- HIGH61–80
IT coaching session scheduled. 30-day intensive re-training plan activated.
- CRITICAL81–100
Manager notification (team-level, not individual). Mandatory remediation. Access review triggered.
Program KPIs (Year-End Targets)
| KPI | Target (Year-End) | Description |
|---|---|---|
| Click rate | < 5% | % of employees who click a simulated phish. Industry avg at start: 25–35%. |
| Report rate | > 70% | % of simulated phish reported via button. Often more predictive than click rate. |
| Time to report | < 10 min median | How quickly employees report real or simulated suspicious emails. |
| Completion rate | > 95% monthly | % of assigned modules completed on time. Laggards auto-escalated after 5 days. |
| Repeat fail rate | < 3% | % of employees failing same sim vector twice in 90 days. Triggers coaching. |
| Org risk score | Trending down | Aggregated score reported to leadership quarterly. Primary ROI metric. |
Expected Improvement Trajectory
Baseline (M1)
~28%
click rate · industry average
Q2 (Month 6)
~14%
click rate · 50% reduction
Q3 (Month 9)
~8%
click rate · 71% reduction
Year-End (M12)
~4%
click rate · 86% reduction
Targets based on industry SMB benchmark data for programs with monthly cadence and teachable-moment remediation. Actual results vary by organization size, industry, and pre-program security culture.