Risk Scoring

TIDALBAY calculates a real-time security risk score (0-100) for each employee based on their behavior across connected security systems. Higher scores indicate lower risk.

Scoring Overview

The TIDALBAY scoring system combines multiple signals to create a comprehensive view of each employee's security posture:

Rule-based scoring: Configurable rules that assign point values to specific events
Time decay: Older events have less impact on the current score
Recovery mechanisms: Positive actions (training, clean streaks) restore points
ML-based anomaly detection: (Enterprise) Detect unusual behavioral patterns

Score Calculation

The final score is calculated using the following formula:

final_score = initial_score + Σ(event_impact × decay_factor) + recovery_bonus

where:
  initial_score = tenant-configurable (default: 75)
  decay_factor = e^(-λt), λ = ln(2) / half_life
  half_life = configurable (default: 90 days)

Event Impact

Each security event is assigned a point value based on matching rules:

Event Type	Default Impact	Example
Phishing click	-25 points	Clicked simulated phishing link
MFA disabled	-30 points	Removed MFA from account
Malware detected	-40 points	EDR detected malware on device
Training completed	+15 points	Finished security awareness module
Phishing reported	+10 points	Reported suspicious email

Configurable Rules

All default rules can be customized. You can adjust point values, create new rules, or disable rules that don't apply to your organization.

Time Decay

Events lose impact over time using exponential decay. This ensures that recent behavior has more influence on the score than older events.

With the default 90-day half-life:

After 90 days, an event has 50% of its original impact
After 180 days, an event has 25% of its original impact
After 365 days, an event has ~6% of its original impact

Recovery Mechanisms

Employees can recover score points through positive actions:

Training completion: +15 points per completed module (max +30 total)
Clean streak: +5 points for every 30 days without a negative event (max +20)
Time decay: Negative events automatically lose impact over time

Score Bands

Scores are grouped into bands that determine automated actions:

Band	Score Range	Default Action
Green	80-100	No action needed
Yellow	60-79	Manager notification
Orange	40-59	Mandatory training assigned
Red	20-39	Elevated monitoring, access review
Critical	0-19	Account lockout, security alert

Lockout Safety

Account lockouts at Critical scores require security team approval by default. This can be configured to auto-execute for tenants with high automation requirements.

ML-Based Scoring (Enterprise)

Enterprise customers can enable ML-based anomaly detection that identifies unusual behavioral patterns:

Unusual login times or locations
Abnormal access patterns
Deviation from peer group behavior
Sudden changes in activity volume

The ML score is blended with the rule-based score using configurable weights (default: 70% rule-based, 30% ML).

Score Transparency

TIDALBAY supports full transparency. When enabled, employees can:

View their current score and band
See events that affected their score
Understand how to improve their score
Submit disputes for incorrect events