Code42 News

Introducing Incydr’s Risk Prioritization Model

4 minutes Read

Aimee Simpson

Manager, Product Marketing

The black glass box of risk prioritization

Whether caused by Shadow IT, remote work, employee turnover, or other common triggers, organizations are up against a massive challenge to get a handle on corporate data leak.


Code42’s Insider Risk Management (IRM) framework is designed to give security team’s a 5-step practical guide for mitigating corporate data leak without disrupting legitimate business. Our product, Incydr, has been purpose-built to fulfill the technical requirements of this approach. The prioritization model announced today is our next step in supporting an organization’s ability to define its risk tolerance and prioritize its data and user risk, thus fulfilling two of the key stages of IRM.

Our Strategy

When we started our R&D process, we knew:

1. Security practitioners need focus. They need to know what data risks are worth their time.

They need help determining what to look at and when. Security time is limited, yet the  potential to miss something that might damage the business is very real. Code42 Data Exposure Report research revealed that nearly ⅔ of IT security leaders said they just don’t know which Insider Risks to prioritize. And we wanted to address that challenge head on.

2. Security practitioners need to be able to trust the methodology behind prioritization.

We knew from talking to security professionals that they needed to have confidence in – and understanding of – the technology they use to manage Insider Risk. So on the one hand they’d tell us, “We need your help knowing what risks actually matter and are worth our time.” But on the other hand, they’d say, “We’re not really sure we can trust a technology to prioritize risk for us.”

Many have been burned by “black box” security technologies that use AI to generate severities and prioritize risks. Unfortunately, these technologies aren’t able to explain why something is flagged as more important than something else because it would give away their secret sauce, and that can lead to lack of trust in the model.

We knew our solution needed to be different. Our approach to prioritization needed to be very transparent. To borrow from math teachers everywhere, we needed to “show our work” so that security teams could understand why a user or activity is prioritized, and feel confident that our risk scoring is based on rich expertise and best practices that they can trust.

We also knew we needed to build upon the context-driven approach Incydr already has. Context really is king in the world of Insider Risk. Yet, Code42 Data Exposure research revealed that security professionals say they lack the context needed to quickly identify if an activity represents risks 72% of the time.

About Incydr’s Risk Prioritization Model

To effectively deliver high-fidelity risk signal to our customers, we’ve developed a risk prioritization model that is:

  • Context-driven: designed it to manage dynamic Insider Risk using file, vector and user Insider Risk Indicators (IRIs)
  • Pragmatic: rooted the model in real-world Insider Risk expertise. We’ve built it with our customer’s most important Insider Risk Management use cases in mind.
  • Adaptable: easily tuned to an organization’s unique Insider Risk tolerance through adjustable prioritization settings.

How it Works

Incydr’s ability to prioritize Insider Risk is all powered by our Insider Risk Indicators (IRIs). IRIs are activities or characteristics that suggest corporate data is at a higher risk of exposure or exfiltration. They are what Incydr uses to prioritize the users and events that represent the greatest risk to the organization. When monitoring file activity, Incydr watches for these IRIs across files, vectors and users.

Incydr assigns a numerical risk score to every risk indicator in Incydr’s extensive IRI library. We’ve determined these risk scores by combining our own product telemetry data on the highest risk IRIs with qualitative research on security practitioner experiences. These scores are totaled to determine the severity of a detected event, and users are prioritized by the criticality of events they trigger. If needed, administrators can adjust this prioritization to better fit their own risk tolerance through risk and trust settings.

Early test data reveals that this model really does limit the scope of critical severity events, and therefore provides focus to customers, with the average customer seeing between 1 and 4% of users triggering a critical severity event in a given week.

Incydr’s new risk prioritization model is now in limited early access with select customers. It will be made available to all customers later this summer.

Want to learn more? Read the overview to see more examples of how Incydr prioritizes risk to data, or contact us.

Aimee Simpson

As a manager of product marketing for Code42, Aimee is responsible for product launch and technical content. She joined Code42 in 2013, having previously worked at Dell and Compellent Technologies.