Users receive risk scores against Risk Vectors to which they should not be associated; they are not members of the entity collection referenced in the Risk Vector definition.
A user's risk score is based on his or her inclusion in a set of users that correspond to a Risk Vector definition. For a Risk Vector definition that includes multiple user IDs on a given DIM incident (e.g., e-mail), recipient IDs will be transitively associated with the risk score associated with that Risk Vector.
For example, a customer creates a Risk Vector based on the DIM incidents of a particular collection of users. Users who are not members of this collection but have received e-mail sent from users in this collection will inherit the risk score associations of the users in the collection.
User A is associated with a Risk Vector definition ('Risk Vector 1') and sends an e-mail internally to User B. User B is not associated with the Risk Vector definition for 'Risk Vector 1'; however, due to User A sending e-mail to User B, Risk Fabric applies the risk score associated with the Risk Vector 'Risk Vector 1' to User B.
Adding a filter in Analyzer to include only source users in DIM incidents (where a source and destination are identified, e.g., e-mail) in entity collection and event scenario definitions will isolate risk score associations from destination users.