Connect with us

Hi, what are you looking for?


Artificial Intelligence

KnowBe4 Brings Artificial Intelligence to Security Awareness Training

It seems that you cannot have a new security product without a machine learning component. It makes sense. Machine learning recognizes patterns and returns probabilities. Risk, and cyber security is all about risk, is also about patterns and probabilities. Binary security is beginning to look a bit old.

It seems that you cannot have a new security product without a machine learning component. It makes sense. Machine learning recognizes patterns and returns probabilities. Risk, and cyber security is all about risk, is also about patterns and probabilities. Binary security is beginning to look a bit old.

Now machine learning has entered security awareness training. Security awareness training firm KnowBe4 has added a Virtual Risk Officer (VRO), a Virtual Risk Score (VRS), and Advanced Reporting (AR) features to its security awareness training and simulated phishing platform.

“We’ve integrated a deep learning neural network that evaluates how risk changes over time within an organization,” explains Stu Sjouwerman, CEO of KnowBe4, “which helps cybersecurity professionals measure how their security awareness program performs.”

Traditional simulated phishing tells organizations which of its employees are deceived by a simulated phish, and which ones recognized it. On its own, it gives no real measure on the probability of the employees falling for a future — perhaps malicious — phish.

This is the purpose of the VRO and the VRS. The VRO helps the security team to identify risk at the user, group or organizational level. This makes future awareness training plans more relevant. The VRS highlights which groups are particularly vulnerable to social engineering attacks — again allowing the security team to more finely focus its training.

Machine learning works by analyzing data and detecting patterns that would normally be missed by human analysts. KnowBe4’s approach is to draw the raw data from five categories. These are breach history (has the user been exposed in a prior breach made publicly known); extent of training; the state of their ‘phish-prone percentage’ (which is a KnowBe4 measure of the user’s fail points); the level of risk for their operational group (for example, working in finance would be a high risk level); and a booster feature that allows the security team to adjust for known risk factors.

Sjouwerman told SecurityWeek how this works. “Each user will have a Personal Risk Score. The risk score for an organization’s groups and an organization is a calculation based on the Personal Risk Scores of all of the members of that group or organization.”

Advertisement. Scroll to continue reading.

That personal risk score, he continued, “is calculated by several different factors including how likely the user is to be targeted with a phishing or social engineering attack, how they will react to these types of events, and how severe the consequences would be if they fell for an attack.”

For example, the Personal Risk Score of employees in an Accounting Department will be higher than those of employees in the Graphic Design Department, because an Accounting Department has access to sensitive financial data. “Similarly,” he added, “a CEO or CFO will have a higher risk score than a Marketing Director, because the C-level executives may have access to classified or proprietary information about the organization.”

The effect of KnowBe4’s neural network is to bring together all of these different factors into a single metric: the virtual risk score that is based on more than just the user’s phishing and training performance. The process is rounded off by KnowBe4’s new Advanced Reporting feature. This, says the company, gives access to more than 60 built-in reports with insights that give a holistic view of the entire organization over time. Each report, which is now available immediately, gives visibility into the organization’s security awareness performance based on trainings taken and simulated phishing data.

“Before AR and VRO,” explains Sjouwerman, “the admin could see Phish-prone percentage and training but could not correlate those two items. AR allows the correlation and VRO takes that to the next level by also incorporating additional data such as user exposure and role within the organization.”

Clearwater, FL-based KnowBe4 was founded by Stu Sjouwerman in 2010. It raised $30 million in Series B financing  led by Goldman Sachs Growth Equity (GS Growth) in October 2017; bringing the total funding to date to $44 million.

Related: PhishMe Acquired at $400 Million Valuation, Rebranded as Cofense 

Related: Security Awareness Training Debate: Does it Make a Difference? 

Related: Security Awareness Training Top Priority for CISOs: Report 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Training & Awareness

Google has announced a new training program for cybersecurity analysts and those who graduate will get a professional certificate from Google.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...