| Endpoint | Owner | Role | Upload Spike | DLP Alerts | Patch Age | Score | Level |
|---|---|---|---|---|---|---|---|
| FIN-LAP-044 | a.khan | Privileged | 7.2× | 4 | 68d | 71.4 | High |
| ENG-WS-112 | s.ali | Standard | 1.3× | 0 | 18d | 18.6 | Low |
| HR-LAP-009 | n.sana | Privileged | 3.8× | 2 | 45d | 49.7 | Medium |
Each factor is normalized into a 0–1 score (higher means riskier) and multiplied by a weight. The base risk is the weighted average of all factor scores:
BaseRisk = (Σ wᵢ × sᵢ) / (Σ wᵢ)
Defensive controls create a protection score Protection from 0–1. The final risk score applies up to a 40% reduction:
RiskScore = clamp( BaseRisk × 100 × (1 − 0.40 × Protection), 0, 100 )
- Enter endpoint identity, role, department risk, and data sensitivity.
- Provide recent telemetry (24h/7d) and your typical baselines.
- Mark enabled security controls to reflect your real posture.
- Click Calculate risk to see score, drivers, and actions.
- Export CSV/PDF for investigations, tickets, or evidence packages.
Why endpoint signals matter in practice
Insider risk often looks like normal work until volume changes. A 7‑day view of USB events, new executables, off‑hours activity, and cloud sync anomalies highlights gradual drift. The calculator converts these observations into normalized 0–1 scores so different units can be compared consistently.
Baselines turn spikes into evidence
Raw counts mislead without context. The model uses ratios such as failed logins today divided by a typical 24‑hour baseline, then applies a log scale so extreme outliers do not overwhelm the score. For example, a 7× upload spike is riskier than 1.2×, but not seven times riskier. This makes the score stable when one noisy day occurs.
Reading weighted drivers correctly
Each factor has a weight that reflects investigative value and harm. Contribution is weight × normalized score, so a moderate signal with a high weight can outrank a noisy signal. The “Top risk drivers” list helps analysts focus on what moved the score, not just what happened. Patch age, local admin accounts, and data sensitivity often become decisive in repeat cases.
Controls reduce risk, but never to zero
Defensive posture is measured separately and reduces total risk by up to 40%. Enabling MFA, disk encryption, EDR, DLP, and least privilege increases the protection score toward 1.0. Risk reduction is capped because controls can fail, be bypassed, or simply generate better detection rather than prevention. If EDR severity is high, treat that signal as urgent regardless of protections.
Operational thresholds for response
Use score bands to standardize action. Scores below 25 usually fit routine monitoring and baseline tuning. From 25–49, confirm ownership, validate VPN travel, and investigate anomalies. From 50–74, open an incident workflow, preserve logs, and validate data destinations. At 75 and above, isolate the endpoint, rotate credentials, and conduct targeted user interviews.
Reporting for audits and tuning
Exporting CSV and PDF creates a repeatable record of inputs, outputs, and recommended actions. Track weekly averages per department to detect systemic issues, then adjust baselines, weights, and alert thresholds. Over time, fewer false positives should shift drivers toward truly abnormal behavior and reduce response fatigue. Pair reports with tabletop exercises to refine playbooks and escalation paths for teams.
What does the 0–100 risk score represent?
It is a weighted triage score combining identity, activity spikes, alerts, and posture signals. Higher values indicate more concerning patterns and higher potential impact for that endpoint.
Why do I need baselines for logins and uploads?
Baselines convert raw counts into spikes. A user with three normal failed logins differs from a user with thirty. Ratios plus log scaling reduce noise and make comparisons fair.
Can I change the factor weights?
Yes. Edit the $factors array weights to reflect your environment. Keep the sum of weights reasonable and validate changes against past incidents to avoid overfitting.
How do security controls reduce risk?
Enabled controls build a protection score from 0 to 1. The final score applies up to a 40% reduction, reflecting that defenses lower exposure but cannot eliminate insider risk completely.
What is included in the CSV and PDF exports?
Exports include the endpoint identity, all input values, the final score and level, top driver contributions, and recommended actions. This supports ticketing, audits, and evidence packaging.
Is this calculator a definitive insider detection system?
No. It is a heuristic model for prioritization. Always corroborate with logs, case context, HR processes, and legal guidance before taking action against a person or device.