In our previous post, we explored the Human Risk Command Center (HRCC) and how it transforms abstract human behavior into quantifiable metrics. Now we're diving deep into adaptive policies—the intelligent controls that automatically adjust security measures based on user behavior and organizational threats. Read the previous blog post here
Understanding Adaptive Policies
Adaptive policies represent a shift from static, one-size-fits-all security controls to dynamic protections that respond to actual risk levels. Through the HRCC, organizations gain the visibility needed to implement targeted interventions that scale protection levels according to individual risk assessments. As a reminder, the HRM platform automatically creates and maintains specialized profile groups that enable adaptive security responses. These groups form the foundation of adaptive policy control:
Very High-Risk Users: Captures individuals based on demonstrated behaviors including clicking phishing links, misidentifying phishing simulations, interacting with malware, and mishandling sensitive data.
Very High Attack Factor Users: Identifies employees facing disproportionate targeting from external threats based on email threat volume, identity-based attacks and malware.
Three Scenarios for Adaptive Policies
In order to provide you with the best recommendations for policies to handle these different situations, we engaged with our internal security team, professional services and support personnel to help define what should occur for each eventuality, supporting a phased approach that aligns with your individual risk appetite.
Scenario 1: Protecting Highly Attacked Users
When employees face elevated attack volumes, the HRCC automatically identifies these users and automatically escalating users to the Very High-Attack factor group, without manual intervention. Our recommendation for policies to be applied to the profile group are:
Phase 1: Visibility
- Enable alerting for phishing-related activities and malicious link clicks through Awareness training settings within URL Protect
- Deploy phishing simulations to assess user susceptibility
- Email tagging and warning banners through Cybergraph or Impersonation Protection
- Track reporting behaviors and provide education on proper procedures
Phase 2: Hard Controls
- Attachment Protection: On-demand analysis with safe file backup, admin review for suspicious files
- URL Protection: Aggressive category scanning including IP addresses and internal links
- Browser Isolation: Prevent text extraction and credential theft through remote execution
- Impersonation Protection: Two-tier structure—tag at 2 indicators, hold at 3+ indicators
- Advanced BEC Protection: Aggressive policies targeting high-risk individuals
- Awareness Training: Increased frequency with content targeted to specific attack vectors
- Identity Controls: Tiered password reset and increased MFA requirements through your identity management provider
Download the Complete Highly Attacked Users Playbook here.
Scenario 2: Managing Repeat Offenders
Users who repeatedly engage in risky behaviors despite training and interventions pose heightened organizational risk. The HRCC tracks these patterns (through integrations), automatically escalating users to the Very High-Risk Users group, without manual intervention. Our recommendation for policies to be applied to the profile group are:
Phase 1: Visibility and Nudging
- Email tagging and warning banners through Cybergraph or Impersonation Protection
- Behavioral nudges from Mimecast Engage for real-time contextual warnings
- Communications to advise of acceptable usage policies
- Set expectations about phishing risks and reporting procedures
Phase 2: Targeted Enforcement
- Justification Requirements: Business rationale required for accessing sensitive resources through Incydr integration
- Manager Notifications: Automated alerts with event details and recommended actions
- Time-Based Policies: Tighter controls after hours or for sensitive content
- Password Reset Tiers: Enhanced verification for high-risk users
- Contextual Access Reviews: Flag permission deviations from peer groups
Phase 3: Hard Controls
- Outbound Monitoring: Intercept and review messages before delivery
- Content Examination: Hold suspicious emails for administrative review
- Quarantine Actions: Automatic containment of endpoint
- Access Restrictions: Automated limitations through Incydr integration
- Session Management: Force re-authentication and revoke current sessions
Download the Repeat Offenders Playbook here.
Scenario 3: Preventing Sensitive Data Mishandling
Data mishandling represents a critical risk vector that is often monitored but not enforced. The HRCC uses data handling patterns across collaboration tools, cloud storage, and endpoint devices (requires integration), automatically escalating users to the Very High-Risk Users group, without manual intervention. Our recommendation for policies to be applied to the profile group are:
Phase 1: Visibility and Nudging
- Alert creation for unusual data access patterns and large file transfers
- Visual cues asking "Are you sure you want to share this externally?"
- User notifications about acceptable usage policies
- Targeted communications about data protection responsibilities
Phase 2: Targeted Enforcement
- Justification Prompts: Business rationale for accessing cloud repositories
- Manager Notifications: Alerts for policy violations with recommended actions
- Response Evaluation: Incydr captures and evaluates user-provided rationales
Phase 3: Hard Controls
- Outbound Monitoring: Review queue for messages to freemail/competitor domains
- Content Management: Scan for sensitive project keywords and high-risk data types
- Outbound Hold: Administrative review requirement for all external emails
- Access Restrictions: Automated limitations through identity management integration
- Egress Controls: Block USB drives, AirDrop, and other exfiltration vectors
Download the Sensitive Data Mishandling Playbook here.
Utilize the profile group reference at the end of each playbook to look for other policy options.
Implementation Best Practices
Successful adaptive policy deployment requires planning and phased implementation. Organizations should test each policy in pilot groups before full deployment, following established change control processes.
Monitor effectiveness through the Mimecast Administration Console, tracking both security improvements and administrative overhead. The HRCC provides metrics on risk score trends, policy trigger rates, and behavioral improvements, enabling continuous refinement of adaptive controls.
The Power of Dynamic Security
By automatically adjusting security controls based on real-time risk assessments, organizations achieve stronger protection without sacrificing productivity. The HRCC ensures these adjustments remain proportional and temporary. As users demonstrate improved security behaviors, controls automatically relax. This dynamic approach addresses the fundamental challenge of human risk: different users present varying vulnerability levels at different times.
Next Steps
Ready to implement adaptive policies in your organization? Start by accessing the Human Risk Command Center through your Mimecast Administration Console. Enable key integrations across endpoint, identity, and data protection platforms to build comprehensive risk profiles. Then leverage the automatically generated profile groups to create targeted policies that adapt to your organization's evolving risk landscape.
Knowledge Base Articles
Human Risk Command Center Overview
Human Risk Integrations (Also previously called Engage integrations)
List of available Human Risk Integrations (filter by HRM Platform)
