Home / Topics / Employee Risk Scoring
Problem Brief
Employee risk scoring.
Attackers pick targets by access. A useful employee risk score has to model both sides: who is likely to fail, and how expensive that failure would be. Scores built on clicks alone get exactly half the picture.
The Problem
What click-based scores get wrong.
01
Impact-blind
An intern who clicks everything scores worse than a wire-authorized controller who clicks occasionally. Your remediation effort flows to the wrong person.
02
Channel-blind
Someone flawless on email may hand over credentials to a confident voice on the phone. Email-only scoring certifies people who’ve never been tested where they’re weakest.
03
Static
People change jobs, gain access, get promoted into attack surface. A score that doesn’t track exposure changes goes stale silently.
Why Legacy Training Struggles
Scores built from what was easy to count.
Legacy platforms score what their architecture produces: training completions and email clicks. Exposure lives in your HRIS and identity provider; resilience lives in reporting telemetry. A platform that doesn’t integrate with those systems can’t score risk — it can only score participation.
What Modern Looks Like
Score the person, weight the blast radius.
Behavior, multi-channel
Fail rates and reporting behavior across email, SMS, and voice — the likelihood term, measured where attacks actually happen.
Exposure, from your systems
Payment authority, production access, admin rights, executive proximity — synced from HRIS and identity so scores update when roles do.
Prioritized output
A remediation queue sorted by business impact. The top ten names are where your next incident is most likely to start.
Cimento's Approach
Risk scoring that survives contact with an attacker’s logic.
Cimento models who is likely to fail and who has the access attackers care about, then routes adaptive micro-training to the intersection. Remediation is ordered by business impact.
Role-Based Risk Matrix · Sample
Likelihood
Impact
Priority
Controller
Med
Crit
P0
Exec Asst
High
High
P1
SRE
Low
High
P2
Intern
High
Low
P2
Same click rate, different priority — because impact is half the score.
FAQ
Is individual risk scoring fair to employees?
What data does exposure scoring require?
How often should scores update?
Know your top ten risks by name.
The 14-day baseline produces role-based scores for your actual org — and a remediation queue sorted by what an attacker would target first.