BreachRisk™ Score
      Back to home
      1. Knowledge Base
      2. BreachRisk™ Score

      How does social engineering impact my BreachRisk™ Score?

      Our powerful phishing engine from CIRT™ is now a part of BreachRisk. Here's how your score will improve.

      This feature is rolling out now to Early Access BreachRisk for Business Pro and Premium subscribers, so things are evolving. This initial information will help you see where things are headed.

       

      BreachRisk™ social engineering features bring our powerful precision phishing engine from our CIRT™ service into BreachRisk™.

      Unlike many other phishing services that focus on quantity, we carefully craft attacks designed to not only test whether your team is opening phishing emails, but also if your security controls will prevent us from actually executing the attacks that follow.

      How do I know if I have access to social engineering?

      This feature is available to BreachRisk™ for Business subscribers at the Pro and Premium service levels. It will be rolled out to Early Access program participants first, and then to each applicable subscriber.

      If it is enabled, you'll see a menu item on the left menu for "BreachRisk™ Social". Here's an example:

      How will social engineering impact my BreachRisk™ Score?

      Every part of your organization that we discover and test adds more rigor to your BreachRisk™ service, and social engineering is no different. As we continue to increase the rigor of our services, your thought might be "this will worsen my score." But here's the best way to think about it:

      Reasons you want us to increase rigor

      1. We'll find issues that could lead to a breach before actual attackers do.
      2. When you share your penetration testing results with your insurance provider, compliance audit, and others, you'll want to be able to show them that social engineering was included.
      3. When you share your BreachRisk™ Score with customers, partners, boardroom, and other stakeholders, you'll want them to see a high level of rigor so they have more trust and confidence in your security.

      What will cause my BreachRisk™ Score to change?

      As you know by now, your BreachRisk™ Score includes two important dimensions:

      • The rating number, which is from 0 (best) to 10 (most dangerous), which represents how easy we believe it is for a hacker to cause a breach. You want the rating number to be as low as possible.
      • The fidelity rating, which is an upper and lower range for that score. It represents how confident a hacker would be in the rating number. You want fidelity to be as high as possible.

      Both of these dimensions can be impacted by social engineering. 

      Social engineering activities mean that we can find more ways an attacker can break in, and that can negatively impact your rating number. But these same activities can results in a positive impact to the score, and they also significantly improve fidelity.

      Generally, if a hacker would have reason to believe a breach could succeed, your risk rating will increase, but if we are continuously thwarted, your risk rating will decrease or be unaffected. Here are some example cases where your BreachRisk™ Score might change:

      1. If someone on your team opens a phishing email we send, your BreachRisk will increase.
      2. If an opened phishing email is able to deliver the (benign) malicious payload, because your security controls fail to interrupt the attack, your BreachRisk will increase.
      3. If we repeatedly attempt to phish you but nobody opens the emails or our payloads are thwarted, your risk rating for this threat vector will tend to decrease, and this could lead to a decrease in your risk rating. 
      4. If social engineering is enabled, the fidelity of your BreachRisk™ Score will usually improve.

      When will social engineering start affecting my BreachRisk™ Score?

      We are phasing in the functionality to ensure your teams have time to understand adapt if necessary.

      At first, we will provide access to social engineering features without any impact to your BreachRisk™ Score. You will still get the benefits you need when proving to stakeholders that you are conducting penetration testing with social engineering. But you won't get the benefits of an increased fidelity to your BreachRisk™ Score.

      Next, you'll see a new threat vector representing the threat of social engineering via email. All companies will see this threat, even if they are not conducting social engineering. If you have social engineering enabled, this threat vector will be tested with our phishing engine, and you'll get an improved fidelity rating in your BreachRisk™ Score.

      What's next?

      The information in this article and our rollout of these features is ongoing. As usual, we welcome your feedback. We are dedicated to making rigorous testing a part of your process that improves your team, increases your profits, and helps you better achieve your mission with your stakeholders.