Mimecast Awareness Training: How Risk Scoring Works

Document created by user.oxriBaJeN4 Employee on Sep 28, 2018Last modified by user.oxriBaJeN4 Employee on Mar 21, 2019
Version 7Show Document
  • View in full screen mode

This guide describes in detail how Mimecast Awareness Training's risk scoring works, as found in the Performance | Risk Scoring section of the platform. View the Mimecast Awareness Training: Analyzing Performance page for further information.



One of the biggest problems facing security professionals is how to effectively follow an employee’s digital footprint and accurately assign risk. Mimecast Awareness Training helps security professionals optimize real-time employee training data to assign timely, accurate, and relevant employee and organizational risk scores, with the ratings updated daily.


Risk ScoreMimecast Awareness Training's risk scoring helps you:

  • Expose potentially high risk employees and help predict who the riskiest employee may be in the future.
  • Continuously assess information security risks and assess where improvements can be made.
  • Make better business decisions using objective, verifiable, and actionable data.
  • Understand how your company’s risk compares to industry peers.

How Risk Scores are Calculated


Mimecast Awareness Training formulates risk scores by analyzing millions of data points captured from employees' interaction with the platform, as well as actual behavior. It runs this raw data through an algorithm that analyzes the data for severity, frequency, duration, and confidence. With this information, an overall rating of an organization’s employee risk exposure can be created.


Risk Scores consist of the following three factors, with each category given equal "weight" when calculating the overall score:

  • Engagement
  • Sentiment
  • Knowledge

Employee Risk Scores (ERS)

Mimecast Awareness Training’s ERS are similar to consumer credit scores. They range from 250 to 900 with a low rating indicating a potentially high risk employee, and a higher rating indicating a potentially less risky employee. Specifically, it analyzes various elements from three dimensions derived from employee training: sentiment, engagement, and knowledge to assess an employee’s security risk profile over time. Risk scores take into account historical performance as well as accounting for recent trends.

Company Risk Score (CRS)

Mimecast Awareness Training takes the underlying raw data in the ERS, and runs it through a proprietary algorithm. This analyzes the data across industry baselines, and creates an overall, contextual, company risk score.


How Ataata’s Risk Scores are Used


The risk scores can be leveraged for multiple use cases, including benchmarking, employee risk management, and cyber insurance.




Here are a few ways companies can use Mimecast Awareness Training's Risk Score for benchmarking:

  • To see how the company is generally performing and how effective the current security programs are.
  • To easily see if your company's risk score is more or less advanced than industry peers. With this information, organizations can make better decisions on how to efficiently allocate resources for their security program.
  • Company executives and leadership teams are increasingly concerned with cyber security performance. Mimecast Awareness Training’s risk scores are an effective, accepted way to communicate security performance with an organization's board.


Employee Risk Management


Traditional tools fail to provide useful information about a company’s largest security risk; human error. Mimecast Awareness Training’s risk scores provide a solution, helping security administrators:

  • Quickly identify and prioritize high risk employees.
  • Rapidly understand the areas of the greatest vulnerability within the human element.
  • Integrate risk scores with existing SIEMs and UEBA analytical platforms and solutions, to gain visibility into human risk across the organization.


Cyber Insurance


Mimecast Awareness Training’s risk scores can be used by underwriters to prepare models for their business plans. Significant data breaches have impacted the cyber/data breach insurance market. The combination of these breaches, insurance regulatory scrutiny, and the underwriters’ desire to maintain profitability have led to fewer insurers providing cyber/data breach cover. 


To better understand this exposure, underwriters are now aggressively seeking supplemental data. Mimecast Awareness Training meets this need by offering underwriters unique insight into a company’s most exposed risk source - their employees.


See Also...