User Risk Score is a metric you can use to determine the risk a user might pose to your organization's cloud services and data, in order to better analyze your organization's overall security posture. It allows you to discover and track any changes in a user's normal usage patterns, to identify threats quickly and accurately.
The User Risk Score is displayed based on incidents, threats, and anomalies and is calculated using a weighted average of multiple attributes. This score is updated daily and is calculated based on the last day's activities and incidents.
Skyhigh Security provides this comprehensive assessment of a User's Risk Score by measuring the following factors:
- Deviation in intent and usage. This compares a user’s recent behavior with their past behavior, to identify suspicious changes.
- User’s security posture. This compares the user's behavior with other users' behavior, to compare them to normal usage.
- Metadata. Metadata about the user, which is obtained via external and internal sources, such as trusted devices, locations, and networks.
NOTE: User Risk Score is displayed only for Sanctioned CASB users.
View the User Risk Score
You can view the User Risk Score associated with each user at a glance on the User Details Page.
To drill down for more details, see the User Details Cloud Card.
How is User Risk Score Computed?
The concept of a “High-Risk User” is applied throughout the product. The User Risk Score is computed daily on a scale of 0–10 (10 implies the highest risk). It is calculated using multiple data points such as incidents, threats, anomalies, and activities. Scores are computed using the usage history for the last 100 days that Skyhigh CASB has for the user. Risk ratings get more predictable as Skyhigh CASB sees more usage data from the user and in turn might not be as accurate for new users.
Individual usage is then indexed against an average user to compute a composite risk score. Risk scores are not dependent on time windows nor are they sensitive to short bursts of activity in a small time window. Because a user’s risk is based on their activity for the entire time they are monitored by Skyhigh CASB, it is not possible to use this score to determine how risky a user is during a specific time period.
For information on the risk attributes used to determine the User Risk Score, see User Risk Attributes.