The BRI is a score from 0 to 1000 reflecting how much a person's behavior increases the risk of a security incident, weighted by their role and access.
What BRI measures
BRI combines two inputs into a single score from 0 to 1000.
Behavior. What people are actually doing. CybSafe captures behavior events from your integrations and platform activity, for example, whether someone reports a suspicious email, clicks a phishing link, or installs an unauthorised application. Each event feeds into a score for that specific behavior. Across all the behaviors you're measuring, this rolls up into a risk likelihood for each person: a percentage representing how likely they are to behave in a way that creates risk.
Impact. The role and access of the person involved. CybSafe assigns each person a user level from 1 to 4, where Level 1 is your highest-impact people (senior leadership, finance, admins) and Level 4 is your lowest-impact roles. The same risky behavior from a Level 1 person matters more than from a Level 4 person because the potential consequences are bigger.
User BRI brings these together: risk likelihood weighted by user level, scaled to 0–1000.
Not all behaviors carry equal weight
CybSafe measures behaviors from the SebDB behavior database. Each security behavior is classified into one of four tiers based on how critical it is:
Tier 1 — Most critical. Failures here have the biggest potential impact on your security.
Tier 2 — Important.
Tier 3 — Standard.
Tier 4 — Least critical.
When calculating risk likelihood, Tier 1 behaviors carry significantly more weight than Tier 4 behaviors. Good performance on lower-tier behaviors can't cancel out poor performance on critical ones. If someone is consistently clicking phishing links, no amount of locking their screen at the end of the day will rescue their score.
The four BRI metrics
BRI isn't a single number. It's a family of scores using the same methodology applied to different slices of data.
Metric | Question it answers | What it shows |
User BRI | Who needs support? | The risk a single person is contributing |
Group BRI | How is this team doing? | The risk a defined group is contributing |
Behavior BRI | What behavior needs attention? | The risk a single behavior is contributing across the organisation |
Organization BRI | How are we doing overall? | Your whole organisation, rolled up |
Every score uses the same 0–1000 scale and can be drilled into. The sections below explain how each one is calculated and what it tells you.
User BRI
Who needs support?
User BRI brings together the two inputs that BRI is built on: behavior and impact.
For each behavior CybSafe is measuring, the person has a score based on what they've actually done: the events captured from your integrations and platform activity. Across all their measured behaviors, this rolls up into a risk likelihood: a percentage representing how likely that person is to behave in a way that creates risk.
That likelihood is then weighted by the person's user level, a 1 to 4 scale where Level 1 is your highest-impact people (senior leadership, finance, admins) and Level 4 is your lowest-impact roles. The same risky behavior from a Level 1 person matters more than from a Level 4 person, because the potential consequences are bigger.
A 5% click rate where the clickers are in Finance is not the same as a 5% click rate where the clickers are graduates. Activity metrics like click rates treat every person equally. User BRI doesn't. It weights behavior by who's doing it, so the score reflects actual risk to your organisation, not just headline numbers.
Behavior BRI
What behavior needs attention?
Where User BRI looks at one person across all their behaviors, Behavior BRI looks at one behavior across all your people.
For a given security behavior (say, SB081: Checks a message for signs of deception), Behavior BRI takes the risk likelihood for everyone who's been measured on it, weights each by their user level, and rolls them up into a single 0–1000 score. The result tells you how much that specific behavior is contributing to your overall incident risk.
A high Behavior BRI means the behavior is widely problematic, or problematic among your highest-impact people, or both. Drilling into the score shows you which.
Behavior BRI is most useful for prioritising. With dozens of behaviors being measured, you can't act on all of them at once. Sorting by Behavior BRI surfaces the ones where action is most likely to reduce your overall risk.
Group BRI
How is this team doing?
Group BRI takes the same approach as User BRI, but at the scope of a group rather than an individual. It combines the risk likelihoods of everyone in the group, weighted by their user levels, into a single 0–1000 score for the group as a whole.
A group can be any cohort you've defined in CybSafe: a department, a region, a job function, a custom segment. Group BRI tells you how that group's behavior is contributing to your incident risk, on the same scale as every other group.
This is the metric that turns a list of risky individuals into a part of the organisation that needs attention. If a behavior problem is concentrated in one team, Group BRI will show that pattern clearly where a list of individual scores might not. It's also the level you'd take to a department head ("your team's Group BRI is X, here's what's driving it") when you want to make a case for focused action.
Organization BRI
How are we doing overall?
Organisation BRI is the headline number: the single score that summarises your behavioral risk picture. Where you might expect it to be an average of every User BRI, it isn't. It uses a fixed-slice approach: each user level contributes a fixed share to the total, regardless of how many people are in that level.
Level 1 contributes 40%
Level 2 contributes 30%
Level 3 contributes 20%
Level 4 contributes 10%
This is deliberate. In a typical organisation, Level 4 people heavily outnumber Level 1 people. If we simply averaged everyone together, the few highest-impact people would be drowned out by the many. Fixed slices stop that happening. Your senior leaders' behavior carries meaningful weight in your overall score, which is proportionate to the impact they actually have on risk.
A small number of high-impact people behaving badly can't be hidden by a much larger group behaving well. That's exactly the scenario most likely to cause a serious incident.
If a level has no one in it, its weight is redistributed across the remaining levels. The score still works but it works best when all four levels are populated.
Watching Organisation BRI over time tells you whether your programme is moving the needle. If it's coming down, you're shaping behavior. If it isn't, the metrics underneath it (Behavior BRI, Group BRI, User BRI) tell you where to look.
Where the data comes from
BRI is calculated from the behavior events CybSafe captures. These come from:
Integrations — your phishing simulations, email gateway, identity provider, endpoint protection, web filtering, and other tools that report real behavior events.
Platform activity — what people do in CybSafe itself, such as completing learning or reporting a phishing email.
BRI uses observed behavior only. Survey-based signals like knowledge tests, attitude surveys, and confidence ratings are no longer included in the score. The score reflects what people do, not what they say they would do.
Events from the last 12 months are included in the score. Older events drop out automatically. A 12-month window keeps scores stable for behavious that don't generate events often, like annual training.