Quantify insider threat signals using weighted behavioral indicators. Compare role, access, and anomalies across time. Act early with evidence, not guesses, in security decisions.
| Profile | Privilege | Exfil | Off-hours | Violations | Training % | Tenure (mo) | Expected band |
|---|---|---|---|---|---|---|---|
| Finance analyst | 2 | 1 | 3 | 0 | 95 | 48 | Low |
| IT admin | 5 | 4 | 10 | 2 | 70 | 18 | Guarded |
| Contractor | 3 | 9 | 18 | 6 | 40 | 3 | Elevated |
| Privileged user | 5 | 15 | 22 | 12 | 20 | 6 | High |
Each signal is normalized to a 0–1 scale using its configured range. For mitigating signals, the normalized value is inverted so higher values reduce risk.
The normalized value is then adjusted using a noise floor and a sensitivity exponent: adj = clamp(norm + noiseFloor/100, 0, 1) ^ sensitivity.
The composite score is a weighted average: score = (Σ(weight × adj) / Σ(weight)) × 100.
Confidence reflects completeness of inputs, and the effective score applies a small confidence adjustment to reduce overreaction to sparse data.
Insider investigations often begin with scattered signals across identity, endpoint, and data controls. This calculator turns common indicators into one comparable score so analysts can rank cases, track movement week to week, and explain why a review started. Use the score as a prioritization aid, not a verdict. Document the top drivers and attach evidence links to every case record.
Different organizations treat the same behavior differently. A developer pushing code late may be normal, while off‑hours access to finance exports may be rare. The weight fields let you reflect that reality by emphasizing high-impact domains such as privileged access, exfil indicators, and policy violations, while de-emphasizing noisier metrics. Start with defaults, then tune after three incident cycles and one access review.
Inputs use ranges like 0–50 bursts or 0–240 months. Each value is normalized to 0–1, then inverted for mitigating factors like training completion or tenure, so higher maturity lowers risk. Normalization prevents any single unit from dominating solely because it has larger raw numbers. If your ranges differ, edit them in code to match observed baselines.
The sensitivity setting applies an exponent to the normalized values. Higher sensitivity boosts outliers, which helps in environments where rare events have high consequence. Lower sensitivity smooths the curve for operational stability. Pair sensitivity with a small noise floor to reduce sharp jumps when values are near zero. Sensitivity near 1.0 is linear; higher is sharper.
Real cases are incomplete. When some fields are unknown, the calculator uses neutral midpoints but lowers confidence. The effective score combines the composite score with confidence so incomplete records do not over-trigger review queues. Track completeness as a quality metric for your telemetry and case intake.
Set a review threshold that matches capacity and policy. For example, start reviews above 55, request manager context above 70, and require dual approval above 80. Recalibrate monthly using closed cases: compare score distributions, false positives, and missed events, then adjust weights and ranges accordingly. Keep audit logs for threshold changes, and align scoring with HR and legal.
No. It is a triage aid that ranks signals and highlights drivers. Always validate context, approvals, and evidence before taking action or contacting employees.
Start with the defaults, then compare scores against closed cases. Increase weights for controls that historically correlate with confirmed incidents and reduce weights for noisy telemetry.
Confidence reflects input completeness. Blank fields use neutral midpoints but reduce confidence so the effective score is less likely to over-prioritize incomplete records.
They act as mitigating factors. Strong training completion and longer tenure can reduce baseline risk, but they should never override strong evidence of malicious behavior.
Monthly works for most teams. Review score distributions, case outcomes, and capacity, then adjust the review threshold to keep queues stable without missing meaningful events.
Yes. Use the CSV export for structured case notes and the PDF snapshot for human review packs. Store exports with ticket IDs and supporting evidence links.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.