Users who were the recipients of messages that triggered the creation of Data In Motion (DIM) incidents in Symantec Data Loss Prevention (DLP) receive a risk score in Information Centric Analytics (ICA), as do the senders of these messages.

Similarly, users who are not members of an entity collection referenced in a risk vector definition receive risk scores against that risk vector. For example, an administrator creates a risk vector based on the DIM incidents of a particular collection of users, or entity collection. Users who are not members of this collection but have received e-mail sent from users in this collection will also be scored against this risk vector.

Version : 6.x

Component : Risk Vectors

A user's risk score is based on his or her inclusion in a set of users that correspond to a risk vector definition. For a risk vector definition that includes multiple user IDs on a given DIM incident (for example, e-mail) which is not configured to exclude message recipients, recipient IDs will be scored against that risk vector.

Adding a user direction filter in the Analyzer to include only source users in events (where a source and destination are identified, such as with e-mail) in entity collection and event scenario definitions will isolate risk score associations from destination users. For example, the DIM Incident User Direction dimension can be used to ensure only the sending user is scored when a risk vector is configured to include DIM incidents.