Inputs
Example data table
Sample records showing how inputs can vary across users or sessions.
| User | Downloads/day | Avg size (MB) | Unknown (%) | Off-hours (%) | Sensitivity | Destination | DLP (30d) | Risk tier |
|---|---|---|---|---|---|---|---|---|
| Analyst-A | 35 | 12 | 8 | 4 | Internal | Managed | 0 | Low |
| Engineer-B | 120 | 55 | 22 | 18 | Confidential | Shared | 3 | Medium |
| Admin-C | 210 | 95 | 38 | 41 | Restricted | Personal cloud | 11 | Critical |
| Vendor-D | 90 | 35 | 30 | 12 | Confidential | Unknown | 6 | High |
Use your own logs to replace these example figures.
Formula used
This calculator converts each input into a 0–100 sub-score, then combines them using weighted scoring. Role sensitivity adds a small modifier.
+ 0.10·FileType + 0.12·Destination + 0.10·Posture
+ 0.04·DLP + 0.04·Malware + 0.02·Policy + RoleModifier
- Volume blends downloads/day and average file size.
- Sensitivity maps labels from Public to Restricted.
- Posture reflects device compliance and endpoint health.
- Signals use alert counts with capped scaling.
- Tiering is Low <30, Medium 30–59, High 60–79, Critical ≥80.
How to use this calculator
- Collect download metrics from proxy, CASB, or repository logs.
- Estimate unknown sources and off-hours percentages from baselines.
- Select the highest applicable data sensitivity and file type risk.
- Choose the most likely destination class for the session.
- Enter recent security signals from DLP, EDR, and policy tools.
- Submit to get a risk score, key drivers, and safeguards.
- Download CSV or PDF to share with your response team.
Why download behavior signals matter
Download activity is often the final step before data exposure. A single user can move sensitive files from controlled repositories to unmanaged endpoints in minutes. This calculator translates raw activity into a consistent 0 to 100 risk score, helping teams compare users, sessions, and time periods using the same yardstick. Clear scoring supports faster triage, consistent reporting, and measurable control improvements across teams and tools.
Key inputs and what they represent
Volume inputs combine downloads per day with average file size to estimate throughput. Unknown source percentage captures new domains, unfamiliar repositories, or first time endpoints. Off hours percentage highlights activity outside normal patterns. Sensitivity, file type, and destination selections approximate impact and likelihood, reflecting how valuable the content is and where it may end up. Recent alert counts add context from protective tools and user history.
Interpreting the score and tiers
The model normalizes each factor to a sub score, then applies weighted scoring to emphasize high consequence drivers. Low risk is under 30, Medium is 30 to 59, High is 60 to 79, and Critical is 80 or higher. Use the drivers list to understand why a user scored high, rather than treating the number as a verdict. Compare the score against peer baselines to reduce noise.
Reducing risk with practical controls
When sensitivity and destination risk are elevated, prioritize containment controls. Apply rate limits, require step up authentication, and restrict personal cloud uploads for regulated datasets. Pair these with preventive monitoring such as DLP rules for exports, archives, keys, and credential files. Device compliance and endpoint protection health are strong levers, because compromised or unmanaged devices amplify every other factor. Coaching and access cleanup often reduce recurring spikes.
Operationalizing results in monitoring workflows
Use proxy, CASB, repository logs, and identity telemetry to populate the fields daily or per incident. Track score trends by department, role, or project to spot drift. Combine this score with alerts, investigation notes, and access reviews to close the loop. Over time, adjust thresholds and weight assumptions using observed false positives and confirmed incidents to improve precision. Document changes, then re baseline to keep comparisons meaningful across quarters.
FAQs
1) What does “unknown source downloads” mean here?
It represents downloads from new domains, repositories, or endpoints not seen in your baseline history for the user, team, or organization, depending on how you define normal.
2) Should I calculate per user or per session?
Both work. Per session helps incident triage, while per user helps trend monitoring. Keep your input sources consistent so scores remain comparable over time.
3) How accurate is the score?
It is a structured estimate, not a guarantee. Use it to prioritize review and controls, then validate using investigation context, ticket history, and confirmed outcomes.
4) Why do role and sensitivity matter so much?
They represent potential blast radius and impact. Higher access and more sensitive data increase the harm if downloads are exfiltrated, even when activity looks similar.
5) What should I do when a result is Critical?
Start containment: restrict bulk downloads, require step up authentication, review destination indicators, preserve audit logs, and open an incident workflow with clear ownership.
6) Can I change the weights and thresholds?
Yes. Align weights with your threat model and environment. Recalibrate after you review outcomes, then document updates so teams understand score changes.