Skip to main content
Risk reports [T]

A tutorial on the CybSafe risk reports

Victoria Moody avatar
Written by Victoria Moody
Updated over a month ago

Our 'Risk' pages make it easy to see where specific security risk appear in your organisation. Surfacing this data means that you can take steps to reduce the risk in these areas before an incident happens.

You can find this report in the Admin menu: Reports > Risk.

If you have the CybSafe ‘Insights’ package you can also view the risk on an individual or group basis. This means you can deliver tailored learnings to specific groups depending on their risk. The ‘Insights’ package also means you can narrow down by date to ensure your training is as relevant as possible, and provided at the best time.


Risk outcome tab

Here you can see how certain risk categories have been tracked over time. The 'Risk category' percentage shows the change in risk over the last 30 days (or other custom date range if you have our Insights package).

On this page you can also see the 'likelihood' and 'impact' of this risk on your organisation.

Each risk outcome has its own impact score that is based on the three impact factors of expected monetary loss, expected level of effort, and expected level of disruption.

In the Risk outcome reports impact can be seen on the risk outcome banner.

The impact factors are customisable, each with a value between 1 and 4.

The three impact factor values are multiplied together to create an combined score between 1 (1x1x1) and 64 (4x4x4).

The combined score is mapped using the below chart to determine the impact score (1 to 5) and impact category (Minor, Moderate, Major, Extreme)

Using the ‘Analytics’, ‘Recommendations’, ‘Linked behaviours’ and ‘Risk factors’ tabs, you can then delve into the specific security behaviours linked to this risk, and possible actions to take.

Analytics tab

In this tab you can see the 'Risk outcome score' over time.

Recommendations tab

In this tab you can see 'Risk reduction insights'. These are some of the behaviours that contribute to the risk that might need increased coverage. You can take 'Actions' based on these recommendations by clicking on the three dots which will give you options to send a nudge, assign a module or a goal.

Linked behaviours tab

This tab shows you the specific behaviours linked to the risk and how your organisation is performing.

Risk factors: Score contributions

This tab shows the actual contribution rates and scores for each risk factor. Risk factor definitions

Security behaviours

Security behaviours are peoples’ actions they take that influence cyber risk. This includes using strong passwords, regularly updating software, being cautious when clicking on links or downloading attachments, and following best practices for data privacy.

As a human cyber risk factor, Security behaviours represent how people exhibit patterns of behaviour.

Knowledge & understanding

“Education and training” is a broad term that covers obtaining general knowledge, personal awareness, and skills training. Although not sufficient by itself, education can be an important component for behaviour change.

As a human cyber risk factor, Knowledge & understanding represents how well people engage with cybersecurity education.

Use Knowledge & understanding to understand if education may be help influence behaviours.

Exposure

Exposure is the level of vulnerability people have to external threats and their approach to addressing them. Ways of understanding Exposure include compromised credentials and oversharing of personal information on social media.

As a human cyber risk factor, Exposure represents how vulnerable people are to specific external threats.

Use Exposure to identify people who need support with specific vulnerabilities.

Engagement

Engagement is how active and responsive people are to security awareness requests, assignments, and activities. This could include:

  • completing assigned learning tasks,

  • attending security events,

  • sharing security tips, advice and guidance with friends and colleagues,

  • asking for help

As a human cyber risk factor, Engagement represents how willing people are to engage with cybersecurity.

Use Engagement to understand if people need to be encouraged or incentivised more to engage in your security awareness programme. A lack of engagement may make it more difficult to influence behaviour change.

Attitude

Someone’s behaviours can reflect their established beliefs and attitudes. This means attitudes towards cybersecurity may help explain certain behavioural patterns.

As a human cyber risk factor, Attitude reflects how people feel about cybersecurity.

Use Attitude to understand if people are potentially resistant to behaviour change due to their sentiment towards cybersecurity.

Confidence

Confidence is about how strongly someone believes their knowledge to be correct. Combining Confidence with Security behaviours or Knowledge & understanding can create a richer understanding of your workforce.

As a human cyber risk factor, Confidence represents how confident people are about their cybersecurity knowledge.

Use Confidence to identify potentially risky people who are highly confident but their knowledge scores are low.

Digital hygiene

People who value good cyber hygiene carry many of these practices through to the workplace. In a similar vein, people who are more vulnerable in their personal lives are likely to be more vulnerable at work. Organisations that successfully help improve their employee’s cyber habits, will have a positive impact of employee personal digital wellbeing too.

How well people practise good cybersecurity habits in their personal lives.

Tech & data access

Not every employee in your organisation has same level of access to sensitive data or systems. As a result, not every employee represents the same level of risk in the event of certain cyber incidents. If someone with high levels of access has their account compromised this could lead to a massive data breach.

As a human cyber risk factor, Tech & data access represents how much access to data and technology people have.

Use Tech & data access to understand who may need greater levels of support due to their access.


Risk factors tab

This graph shows the risk of each category, and the proportion of your users exhibiting good security practices.


Groups/ People tabs

With the CybSafe 'Insights' package you can also break down the risk in your organisation by ‘groups’ and specific people, using the relevant tabs.

Recommendations tab

This tab outlines some of the behaviours that contribute to the risk that might need increased coverage. You can take 'Actions' based on these recommendations by clicking on the three dots which will give you options to send a nudge, assign a module or a goal.


Activity log tab

These activity logs give you visibility of all of the events that feed into our behaviour scores.


Impact settings

To tailor the impact of a security risk to your organisation, you can change the settings to reflect the impact one would have on the organisation. This is then pulled through to each risk category so you can see the real impact, and use this to report to other stakeholders in the business, giving real life examples.


What steps should I take when I have spotted an area to reduce risk in?

If you have the CybSafe Insights package, then we have done the work for you! In our ‘Recommendations’ tab we have calculated 10 risk-reduction insights. These are the highest tier behaviours, with the lowest coverage and targeting these will have the highest chance of reducing risk outcomes.


Still have questions?

If you still have questions, you can contact the CybSafe team via [email protected]. We’re on hand to help resolve any further issues!

Did this answer your question?