Human Risk Scoring
Score drives remediation triggers, not manager judgment. Leadership sees the org-level signal; individuals see a private dashboard. The program never punishes failure — it redirects it.
Primary negative indicator. Single highest-weight factor.
Primary positive indicator. High reporters score well even with occasional clicks.
On-time completion reduces score. Late completions increase it.
Average score across all knowledge checks. Scenario-based only.
Bonus credit for consistent improvement over rolling 90-day window.
Standard curriculum. Recognized in monthly digest. No intervention required.
Additional micro-modules assigned on weak areas. Increased sim frequency.
IT coaching session scheduled. 30-day intensive re-training plan activated.
Manager notification (team-level, not individual). Mandatory remediation. Access review triggered.
| KPI | Target (Year-End) | Description |
|---|---|---|
| Click rate | < 5% | % of employees who click a simulated phish. Industry avg at start: 25–35%. |
| Report rate | > 70% | % of simulated phish reported via button. Often more predictive than click rate. |
| Time to report | < 10 min median | How quickly employees report real or simulated suspicious emails. |
| Completion rate | > 95% monthly | % of assigned modules completed on time. Laggards auto-escalated after 5 days. |
| Repeat fail rate | < 3% | % of employees failing same sim vector twice in 90 days. Triggers coaching. |
| Org risk score | Trending down | Aggregated score reported to leadership quarterly. Primary ROI metric. |
Baseline (M1)
~28%
click rate · industry average
Q2 (Month 6)
~14%
click rate · 50% reduction
Q3 (Month 9)
~8%
click rate · 71% reduction
Year-End (M12)
~4%
click rate · 86% reduction
Targets based on industry SMB benchmark data for programs with monthly cadence and teachable-moment remediation. Actual results vary by organization size, industry, and pre-program security culture.