For years, security awareness programs have approximated “human risk” using simple proxies: who clicked, who reported, and who completed training. These engagement-based metrics became the standard because they were easy to track and easy to measure. But they were never designed to answer a more important question: is the workforce actually learning, improving behavior, and becoming less susceptible to real threats?

A single click in a phishing simulation reduces human risk to a pass/fail outcome, without indicating whether behavior is improving or susceptibility is changing. Completing training does not necessarily translate into better decision-making in the moment. And point-in-time campaign results offer only a snapshot, failing to reflect how human risk evolves over time.

If the scope of human risk cannot be captured in a single event, it cannot be measured with static metrics. It requires a model that continuously evaluates phishing susceptibility based on real user behavior. That is the foundation behind Abnormal’s Phishing Risk Scoring.

At Abnormal, Phishing Risk Scoring is built on a simple premise: human risk is not a single event, but the result of multiple behavioral signals interacting over time. A click is an isolated action. Real risk emerges from patterns—how often someone fails, how recently it happened, and how they respond afterward.

This is why human risk, when measured correctly, starts to look less like a binary outcome and more like a formula. Not a black-box score but a deterministic and transparent calculation grounded in real behavior. The goal is not just to assign a number, but to make that number meaningful and understandable.

At a high level, the model can be expressed as:

Phishing Risk = Negative Behavior Signals + Recency + Training Gaps + Attack Sophistication + VIP Exposure – Positive Security Behavior

This formulation reflects how Abnormal approaches risk calculation in practice. Each component represents a meaningful behavioral signal, and each contributes differently to the overall score. Some behaviors increase risk, while others actively reduce it, creating a more balanced and realistic measure of susceptibility.

Most human risk tools rely heavily on failure as the primary signal. Did the user click? Did they submit credentials? Did they fail the simulation? Those questions matter, but they only capture part of the picture.

Abnormal expands beyond that narrow view by incorporating additional dimensions of behavior. Failure rate is evaluated based on engaged simulations, ensuring the score reflects meaningful interaction rather than email volume. Recency introduces time sensitivity, recognizing that recent failures are more indicative of current risk than older ones. Training completion provides insight into whether a user is improving after a mistake, while reporting behavior signals ongoing awareness and actively reduces risk.

The model also captures more subtle signals. Opening a suspicious email without taking action represents a missed opportunity to report a potential threat. The type of simulation matters as well, since failing a more sophisticated credential phishing or business email compromise scenario indicates a different level of susceptibility than missing a basic phishing attempt. And for certain individuals, organizational context plays a role, as high-value targets inherently carry greater exposure.

The true advantage of this approach lies in the context it captures. Two employees may appear similar on the surface after failing a simulation at some point. But their underlying risk can be fundamentally different.

One employee may have failed a simulation months ago, completed training shortly after, and consistently reported suspicious emails since then. Another may have failed multiple recent simulations, ignored training, and rarely reported suspicious emails. A traditional program might group these users together because they share a similar outcome. In reality, their risk profiles are not comparable.

Abnormal’s scoring model is designed to reflect these differences by weighting behavioral signals based on how they relate to risk. Recent behavior carries more weight because it reflects current susceptibility. Reporting behavior reduces risk, as it indicates awareness. Training completion signals improvement, but does not fully offset repeated or recent failures. The sophistication of the attack also matters, since more complex threats require a higher level of judgment to recognize.

Measuring human risk as a static snapshot creates dangerous blind spots.

A model that captures risk accurately must evolve as employees learn and adapt. Phishing Risk Scoring is designed to update continuously as new behavioral signals are observed, ensuring that the score reflects a user’s current state rather than a historical snapshot.

Instead of relying on periodic campaign results, teams have a continuously updated view of user risk across the organization. High-risk users can be identified as their behavior deteriorates, coaching can be targeted based on recent activity, and changes in susceptibility can be tracked over time.

Human risk is still measured using static engagement metrics like clicks, reports, and training completion—signals that capture isolated outcomes, not how susceptibility develops over time. As threats become more targeted and convincing, that gap becomes harder to ignore.

Security leaders need a way to measure susceptibility that reflects real behavior, adapts over time, and provides clear insight into where risk actually exists. Abnormal’s Phishing Risk Scoring is built to meet that need. By combining multiple behavioral signals into a unified, explainable model, it delivers a more accurate view of who is at risk, who is improving, and where intervention will have the greatest impact.

A click is merely a single data point. Real risk is shaped by how users respond, how they improve, and how they handle more sophisticated threats. Measuring it effectively means looking at all of these factors together. If human risk has a formula, it should look a lot more like real human behavior.

Ready to see how AI Phishing Coach helps your workforce identify and respond to novel AI-powered threats?