Teramind utilizes a "rule-based" approach to measure risk. This flexible model scales risk based on user-defined severity while automatically tracking frequency and timing thresholds, allowing you to differentiate between isolated incidents and habitual violations. By adapting to behavior in real-time, Teramind identifies both one-off high-risk events and accumulated risk over time, transforming raw activity into a nuanced and responsive map of organizational risk.

Using a rule-based scoring system provides several strategic advantages for security teams:

You assign risk Severity to a behavior rule form its Actions > Advanced tab:

It's based on Period (e.g., daily), and Frequency. For example, you can set an email rule that sets a "Low" risk severity when a user sends 5 emails (frequency) in a day (period) but "High" severity when they send >10 emails. You can take different rule actions based on the frequency and severity. For example, Warn action for the "Low" risk event and Block action for the "High" risk event.

The primary source for you to view the risk severity report is the Behavior Alerts dashboard's Risk tab:

The "Risk Severity" from the rules is translated from a label to a number or "Risk Score" on the dashboard. A risk severity of “None” means 0 risk score, “Low” means 1, “Moderate” means 2, “High" means 3, etc. The total risk score is:

Risk Score = Alert Count x Risk Severity

On the dashboard, you will notice a "Count" value. It means the number of alerts or how many times a rule is broken. Each rule violation generates 1 alert. So even if you broke only one rule, but did it three times during the report period, the Count will be 3. So, for example, if a user broke a rule twice with a risk severity of 3, their alert count will be 2 and risk will be 2x3 = 6.