Republic Onboarding, Risk Measurement & User Journey (FAQ)
Typical User Journey
Day 1: Teams welcome → 10-minute onboarding (segmentation + intro videos + portal)
Day 2 (if Interception): 2-minute video → Level 0 phish → practise reporting with the Outlook add-in
Days 3–26: 1 question per workday (24 total) to establish baseline
End of Week 4–6: Republic combines results + engagement into a Scorecard and assigns Green / Amber / Red
From Week 6 onward: The user’s cadence adapts- fewer touches for strong performers, targeted interventions for high-risk topics
Pre-unlock: Status splash (installs, onboarding completion, days to unlock)
Week 6: Full dashboard unlock + first automated 4-week risk report
Ongoing: Live risk trends, reporting/click rates, question performance, heat maps, and exportable evidence
Lack of engagement contributes to score decay and zone movement. Republic reduces noise for disengaged users but will schedule minimal checks and nudges to re-establish a safe baseline.
Users still receive onboarding, the 24-day baseline, and adaptive nudges. You’ll miss real-world phishing signals, which are highly predictive for risk zoning.
Onboarding
Once your IT team rolls out the Teams bot (and the Outlook Interception add-in if used), each user gets a welcome message in Microsoft Teams. They complete a 10-minute onboarding that:
Explains Republic and how the Teams bot works
Asks a short set of segmentation questions (role, department, exposure, etc.)
Plays short intro videos
Introduces the web portal for personal progress and resources
Users receive a 2-minute video that explains the “dangerous email reporting game” and how to use the Republic Outlook add-in. Immediately after, they receive a Level 0 (very easy) simulated phish so they can practise safe reporting.
From Day 3 onward, users receive one multiple-choice question per day for 24 days (workdays). Everyone gets the same 24 foundational questions. This establishes a fast, fair baseline across the workforce.
Deploy the Teams bot (and Outlook add-in if using Interception)
Confirm which users/groups to target
That’s it- Republic handles the user comms and drip sequence automatically.
A splash dashboard appears shortly before Week 6 showing rollout status (users installed, onboarding completion, days until unlock). The full dashboard unlocks at Week 6, and automated risk reports generate every 4 weeks thereafter (first report at Week 6).
Individual Risk Measurement (Scorecards & Zones)
Each user has a dynamic Scorecard built from multiple signals, including:
Question performance (the 24-day baseline + ongoing questions)
Phishing behaviour (reports vs. clicks, response time)
Engagement (watching videos, reading articles/Republic News)
Incidents reported
Score decay (skills degrade without practice; Republic gently retests)
We don’t expose proprietary weights, but the model emphasises real behaviours over rote completion.
Explains Republic and how the Teams bot works
Asks a short set of segmentation questions (role, department, exposure, etc.)
Plays short intro videos
Introduces the web portal for personal progress and resources
After the 24-day baseline, users are placed into a zone that updates continuously:
Green: Strong baseline & good engagement
Cadence: ~1–2 questions/week, no intervention videos
Amber: Mixed results or uneven engagement
Cadence: ~2–3 questions/week, targeted reinforcement
Red: Weak areas detected, risky actions (e.g., phish clicks) or low engagement
Cadence: Next queued event includes a focused intervention video (usually next workday) plus follow-up checks
Entering Red on any Scorecard pillar (e.g., phish handling, link hygiene, MFA, device safety) or specific risky events. The intervention topic maps to the user’s weakness, not a generic module.
Governance, Privacy & Evidence
The dashboard and every-4-weeks risk reports show zone movement, phishing KPIs (reports vs clicks), question performance, and engagement. These exports support internal audits and board updates.
Republic is GDPR compliant. Minimal personal data is collected from end users beyond a name and email. Data-processing details and other security information available on request.