Cimento is headed to Black Hat USA — catch us in Vegas, Aug 1–6

Black Hat USA 2026 · Aug 1–6

Book a Meeting →

Book a Meeting →

Home / Topics / Employee Risk Scoring

Problem Brief

Employee risk scoring.

A CFO and an intern should not be treated as the same risk. Most scoring systems treat them as the same risk.

A CFO and an intern should not be treated as the same risk. Most scoring systems treat them as the same risk.

A CFO and an intern should not be treated as the same risk. Most scoring systems treat them as the same risk.

Attackers pick targets by access. A useful employee risk score has to model both sides: who is likely to fail, and how expensive that failure would be. Scores built on clicks alone get exactly half the picture.

The Problem

What click-based scores get wrong.

01

Impact-blind

An intern who clicks everything scores worse than a wire-authorized controller who clicks occasionally. Your remediation effort flows to the wrong person.

02

Channel-blind

Someone flawless on email may hand over credentials to a confident voice on the phone. Email-only scoring certifies people who’ve never been tested where they’re weakest.

03

Static

People change jobs, gain access, get promoted into attack surface. A score that doesn’t track exposure changes goes stale silently.

Why Legacy Training Struggles

Scores built from what was easy to count.

Legacy platforms score what their architecture produces: training completions and email clicks. Exposure lives in your HRIS and identity provider; resilience lives in reporting telemetry. A platform that doesn’t integrate with those systems can’t score risk — it can only score participation.

What Modern Looks Like

Score the person, weight the blast radius.

Behavior, multi-channel

Fail rates and reporting behavior across email, SMS, and voice — the likelihood term, measured where attacks actually happen.

Exposure, from your systems

Payment authority, production access, admin rights, executive proximity — synced from HRIS and identity so scores update when roles do.

Prioritized output

A remediation queue sorted by business impact. The top ten names are where your next incident is most likely to start.

Cimento's Approach

Risk scoring that survives contact with an attacker’s logic.

Cimento models who is likely to fail and who has the access attackers care about, then routes adaptive micro-training to the intersection. Remediation is ordered by business impact.

Role-Based Risk Matrix · Sample

Likelihood

Impact

Priority

Controller

Med

Crit

P0

Exec Asst

High

High

P1

SRE

Low

High

P2

Intern

High

Low

P2

Same click rate, different priority — because impact is half the score.

FAQ

Is individual risk scoring fair to employees?

What data does exposure scoring require?

How often should scores update?

Know your top ten risks by name.

The 14-day baseline produces role-based scores for your actual org — and a remediation queue sorted by what an attacker would target first.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.