Measure employee risk using observable security indicators only. Tune weights to match your organizations policy. Export results, compare scenarios, and reduce insider exposure fast.
| Employee | Role Crit. | Access | Priv. Anom. | DLP | Endpoint | Unusual Logins | Notice | Score | Band |
|---|---|---|---|---|---|---|---|---|---|
| A. Khan | 5 | 5 | 3 | 14 | 9 | 6 | Yes | 41.57 | Medium |
| S. Malik | 3 | 3 | 1 | 2 | 3 | 2 | No | 14.72 | Low |
| R. Ali | 4 | 4 | 4 | 8 | 12 | 10 | No | 34.44 | Medium |
| M. Fatima | 2 | 2 | 0 | 0 | 1 | 1 | No | 7.13 | Low |
Each factor is normalized to a 0–1 scale using a defined maximum, then combined with weights. The final score is scaled to 0–100 for easier interpretation.
Bands: Low <25, Medium 25–49.99, High 50–74.99, Critical ≥75.
A threat score is a triage metric built from observable security signals. Counts from identity, endpoint, and data protection controls are normalized to common ranges. The score helps analysts sort queues, compare similar time windows, and document why a case was prioritized. Teams often map scores to response SLAs, such as review within 24 hours above 50 and within 4 hours above 75.
This model converts each factor to a 0–1 value using a defined maximum, then combines factors using normalized weights. Scaling to 0–100 produces intuitive bands. If your environment generates more alerts, raise maxima to avoid saturating every score.
Weights should reflect incident history and control reliability. Start with default weights, then review past investigations. If DLP events strongly correlate with confirmed misuse, increase that weight. If login anomalies are noisy, reduce their weight or improve detection tuning. Compare average factor values for confirmed cases versus benign cases and adjust weights toward signals with larger separation.
Driver points show which signals contributed most. High DLP, privileged anomalies, and endpoint alerts often represent stronger risk than training failures alone. Always add context: role necessity, change windows, travel schedules, and approved administrative tasks. Use the top five drivers as an investigation checklist, verifying logs, affected assets, data classifications, and whether access was granted temporarily or inherited.
Use only approved, policy-compliant indicators, and avoid sensitive personal attributes. Apply consistent scoring windows and criteria across roles. Treat the output as decision support, not evidence of intent. Require human review, and track false positives to improve thresholds. Segment reporting by job function and alert source to confirm the model does not over-score groups due to tooling coverage differences.
Exported CSV and PDF outputs support audit trails and case notes. Track distribution of scores over time, and monitor how many High or Critical cases convert to confirmed incidents. Use that feedback to tune weights, maxima, and detection sources quarterly. When you change weights, record version numbers, and compare pre/post score percentiles so leadership can see whether triage volume and outcomes improved.
It is a relative triage score built from normalized security indicators and weights. It ranks cases for review, but it does not prove intent or wrongdoing.
Use the same window for comparisons, commonly 30 or 90 days. Short windows highlight spikes, while longer windows reveal persistent behavior.
No. Any positive values are accepted. The calculator automatically normalizes them so the total influence sums to 100 percent.
Values are capped at the factor maximum during normalization. Increase the maximum if your environment regularly produces higher counts.
Only use indicators approved by policy and legal guidance. Avoid sensitive personal data and ensure consistent criteria across roles.
Review top drivers, validate source alerts, and record outcomes. Then tune detections, maxima, and weights using confirmed cases versus benign cases.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.