Risk Level and Risk Score
Cyberhaven leverages the events data generated from your existing datasets and policies to calculate a risk score for each user. This score determines the user's risk level. Users are then ranked according to these risk levels.
The following sections provide a detailed explanation of risk levels and risk scores.
What is Risk Level?
Cyberhaven assesses the risk level of each user by analyzing their actions.
The users with the highest risk level are displayed at the top of the Insider Risk table for easy identification. The risk level is determined over a 90-day period and users are organized into the following five categories.
Critical
High
Medium
Low
Very Low
The risk score is calculated using the following three essential factors.
Dataset sensitivity
User risk multiplier
Policy severity
Cyberhaven evaluates the user risk scores for the last 90-day data access period to record the lowest and highest risk scores. These values determine the range into which the users are then categorized. The categorization begins with a "Very Low" risk level which corresponds to a risk score of 0 and ends with a "Critical" risk level which matches the highest observed risk score. Every category has a limit which is set automatically by Cyberhaven's clustering process.
For example, the clustering algorithm may categorize risk scores in the range of 0-100 as "Very Low", 101-200 as "Low", 201-300 as "Medium" and so on.
These category limits are not static and are constantly re-evaluated based on the collective risk scores of all the users over the same data access period.
What is Risk Score?
Cyberhaven calculates a risk score for each user based on their interactions with your corporate data. The risk score determines a user's risk level. The risk score is calculated by considering the total number of events that match a combination
of dataset and policy. Additionally, the risk score includes the following three elements derived from each matched event.
Dataset Sensitivity: The administrator assigns a sensitivity rating to the data transfer linked with the dataset.
Datasets have the following five sensitivity ratings.
| Sensitivity Rating | Value |
|---|---|
| Critical | 8 |
| High | 4 |
| Moderate | 2 |
| Low | 1 |
| Unrestricted | 0 |
User Risk Multiplier: The administrator assigns a risk multiplier value depending on the criticality of the user risk group. The User Risk Multiplier can be any of the following values - 0, 0.25, 0.5, 1, 2, 3, 4. Policy Severity: The administrator assigns a severity rating for the policy based on its criticality and the potential impact of a violation. Policies have the following five severity ratings
| Severity Rating | Value |
|---|---|
| Critical | 8 |
| High | 4 |
| Medium | 2 |
| Low | 1 |
| Informational | 0 |
Resetting the Risk Score
After reviewing a user's actions, you have the option to reset their risk score to zero. The risk score recorded at midnight UTC (last night) will be cleared, and any risks generated after that time will be added to the user's risk score.
To reset a user's risk score,
1. Select the user from the Insider Risk table and click on Actions in the right panel. Then click on Clear risk score.
Alternatively, you can click on the kebab icon in the selected row and click on Clear risk score.
2. Enter a comment in the pop-up window to keep a record of the details before you reset the risk score.