How the empowsec Employee Risk Scoring Engine Works

Click rates from a single phishing campaign tell you how many people fell for a lure on one day. They do not tell you which employees carry sustained risk, whether a department is trending in the right direction, or whether last month's remedial training is having any effect. empowsec's risk scoring engine was built to answer those harder questions. Every phishing and training event - whether an employee clicked a simulated link, reported a suspicious email, or completed remedial training - contributes to a dynamic, time-weighted score that reflects current behavior rather than a snapshot from any single campaign.
This article explains precisely how the scoring engine works, which events it tracks, how time decay affects the score, and how individual scores aggregate to give team leaders and administrators a picture of risk across the whole organization.
Weighted Events: What Raises and Lowers the Score
At the core of the risk scoring engine is a set of events, each assigned a base point value that reflects how much that behavior matters to overall security posture. Events are divided into negative events, which raise the risk score, and positive events, which lower it.
Negative events and their base point values are as follows. Clicking a simulated phishing link adds 20 base points and carries approximately a one-year half-life. Submitting credentials on a simulated phishing landing page adds 30 base points. Replying to a simulated phishing email adds 25 base points. Opening a phishing email without clicking adds 1 base point. Training becoming overdue adds 3 base points per week that it remains outstanding. Failing a quiz adds 8 base points.
Positive events and their base point values are as follows. Reporting a real phishing email reduces the score by 8 points. Reporting an empowsec simulation reduces it by 5 points. Reporting a spam email reduces it by 3 points. Completing assigned training on time reduces it by 4 points. Completing remedial training reduces it by 6 points. Passing a quiz on the first attempt reduces it by 3 points.
These specific values are not arbitrary. Submitting credentials carries the highest negative weight because it represents the most complete failure of phishing awareness - the employee not only clicked the link but actively handed over information. Clicking the link carries a lower but still significant weight, because it demonstrates susceptibility to the lure even if credentials were not submitted. Reporting a real phishing email carries the highest positive weight, because that behavior actively protects the organization from a live threat. The point values create a ranking of behaviors by their actual consequence for organizational security.
Exponential Time Decay: Why Recent Behavior Matters More
A static point system would accumulate risk indefinitely. An employee who clicked a phishing link three years ago would carry that event at full weight forever, even if they had since reported a dozen real phishing emails and passed every quiz on the first attempt. That is not an accurate picture of current risk. empowsec addresses this with exponential time decay applied to every event: the impact of an event diminishes over time according to a half-life.
The half-life concept comes from physics: a value with a half-life of one year is worth half its original value after one year, a quarter after two years, and so on. In the risk scoring engine, negative events like clicking a phishing link carry approximately a one-year half-life. This means the 20-point impact of a phishing click from twelve months ago contributes only about 10 points to the current score. After two years, it contributes about 5 points. The event does not disappear from the record, but its influence on the score naturally fades unless the behavior recurs.
Positive events, such as reporting a simulation or completing training on time, carry a shorter half-life of approximately six months. This might seem counterintuitive - why should good behavior decay faster than bad? - but it reflects a sound training philosophy. Security skills need to be practiced regularly to stay sharp. An employee who completed a training module two years ago is not demonstrating current competence; they are demonstrating past competence. The faster decay of positive events means the score naturally rises if an employee goes a long period without any positive security behaviors, which is exactly the signal that should prompt a nudge or a new assignment.
Together, the two half-lives create a scoring system that continuously re-evaluates current risk rather than simply accumulating history. An employee who had a difficult few months but then improved their behavior consistently will see their score fall steadily over time. An employee who has been coasting without any phishing interaction or training completion will see their positive-event contributions decay, keeping their score elevated until they demonstrate active engagement again.
Roll-Up Scores: From Individual to Department to Company
Individual risk scores are valuable for identifying which employees need the most support. But the risk scoring engine does not stop at the individual level. Scores roll up to the department level and then to the company level, giving team leaders, department managers, and executives a view of risk that matches their organizational scope.
A department risk score aggregates the individual scores of all employees in that department, giving a manager insight into which teams are performing well and which carry elevated collective risk. A finance team that has just completed a targeted phishing campaign and training module should show a lower aggregate score than a newly onboarded sales team that has not yet completed their first assignment. This comparison helps administrators prioritize where to direct the next campaign, which department to assign remedial training to first, and where escalation to a manager is warranted.
At the company level, the roll-up provides leadership with a single headline number that captures the organization's overall security posture at a given moment in time. When that number is trending down, the security awareness program is working. When it rises, it is a signal to investigate - was there a challenging new phishing scenario? Did onboarding lag? Did a department fall behind on renewals? The company-level score turns a complex collection of individual behaviors into a management signal.
How the Score Connects to the Rest of empowsec
The risk score does not exist in isolation. It is the output of every other feature in the platform that generates a behavioral signal: phishing simulation campaigns, remedial training assignments, quiz results, reporting events from the Outlook or Gmail add-in, and training completion records all feed into the score. In this way the risk score is a summary of the entire security awareness program as it applies to a specific employee.
This connection works in the other direction too. When an employee clicks a simulated phishing link, empowsec can automatically assign remedial training. Completing that remedial training generates a positive event that partially offsets the click. Reporting a simulation later generates another positive event. The score reflects this trajectory: an employee who clicked, completed remediation, and then demonstrated improved behavior is on a meaningfully different trajectory from an employee who clicked and never engaged with remediation. The score captures that difference in a way that a simple click-rate report cannot.
For administrators and security managers, the risk score provides a basis for prioritization that goes beyond which employees performed worst on the last campaign. It asks which employees carry the highest current risk, accounting for everything they have done and not done across all their interactions with the platform. That is a more actionable question, and it is the question empowsec's risk scoring engine is designed to answer.
What This Means for Your Team
- Weighted events assign point values calibrated to the actual consequence of each behavior - submitting credentials (30 points) matters more than opening an email (1 point).
- Exponential time decay with distinct half-lives for negative (~1 year) and positive (~6 months) events ensures the score reflects current risk, not accumulated history.
- Score roll-up from individual to department to company gives every level of the organization a risk view appropriate to their scope.
- Automatic remedial assignment on a phishing click means the score is tied directly to corrective action, not just measurement.
- Actionable prioritization lets security teams focus limited training resources where ongoing behavioral signals indicate the greatest current need.


