Risk score calculation

Risk score calculation is the process by which the risk engine determines a risk score. The risk score demonstrates the level of risk associated with permitting a request to access the resource. This risk score is compared to a threshold score set in a policy. A decision is made based on the result of this comparison.

Overview

The risk engine determines a risk score by comparing sets of attributes that identify devices. These sets of attributes are called device fingerprints. Device fingerprint attributes include items such as IP address, location, and screen size. Each registered device has one device fingerprint. Because the user accesses the resource in different locations and on different devices, the user can have many registered devices. The following process describes how risk assessment works:

  1. The incoming device requests access to the resource.
  2. The risk engine collects as many device fingerprint attributes as it can from the request device.
  3. After the attributes are collected, the risk engine:

    • Determines the device fingerprint.
    • Calculates the risk score. The risk score

      • Is a number.
      • Represents the amount of risk associated with the incoming request.

      • The likelihood the incoming request represents the user.

  4. The risk engine:

    • Compares the incoming fingerprint with each registered device fingerprint.
    • Uses the attributes contained in the larger fingerprint for each comparison.
    • Calculates a risk score for each comparison.

  5. To determine the final risk score, the risk engine:

    • Chooses the lowest risk score of the comparisons between the incoming fingerprint and the registered fingerprint.
    • Measures the final risk score against a threshold score or range the administrator sets in a policy.

  6. Depending on the way the administrator writes the policy, one of the following outcomes occurs:

      Permit
      The risk score for the incoming request is well below the threshold score. The user is granted access to the resource. For example, the risk score is 30, and the threshold score that is set by the administrator is 40.

      Permit with obligation or authentication
      The user is asked to complete an extra security measure, such as step up authentication. For example, the risk score is 40, and the policy the administrator wrote requires users that operate devices with scores 30 - 90 to step up.

      Deny
      The risk score for the incoming request is above the threshold score or range. The user is denied access to the resource. For example, the risk score is 50, and the threshold score set by the administrator is 40.

The risk score is calculated through the following formula:

Risk Score = (total weight of mismatched attributes / 
total weight of all attributes) × 100

When the values that belong to the incoming device fingerprint and the registered device fingerprint are the same, the values are matched. When the values that belong to the incoming device fingerprint and the registered device fingerprint are not the same, the values are mismatched. Sometimes, the fingerprints contain attributes that are not matched or mismatched. These attributes are called indeterminate attributes. When there are indeterminate attributes present, the following formula is used to calculate the risk score:

Risk Score = (total weight of mismatched attributes / 
(total weight of all attributes−total weight of indeterminate attributes)) × 100

Scenarios

The following example scenarios demonstrate risk score calculation. All three of the scenarios assume the administrator

Scenario 1: Authentication permitted

The total weight of the unequal device fingerprint values that belongs to one attribute is not significant enough to prohibit authentication.

The example information in the table is used to calculate the risk score.>
Attribute names Weight values Incoming device fingerprint values Registered device fingerprint values
colorDepth 10 32 32
deviceLanguage 10 en-US en-US
devicePlatform 10 Win32 Win32
http:userAgent 10 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36
ipAddress 10 42.29.144.5 42.29.144.5
screenHeight 10 1080 1080
screenWidth 10 1920 1920

Scenario 2: Authentication denied with multiple significant attributes

The total weight of the unequal device fingerprint values that belongs to 6 out of 7 of the attributes is significant enough to prohibit authentication.

The example information in the table is used to calculate the risk score.>
Attribute names Weight values Incoming device fingerprint values Registered device fingerprint values
colorDepth 10 24 32
deviceLanguage 10 en-US en-US
devicePlatform 10 Linux Win32
http:userAgent 10 Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36
ipAddress 10 9.53.18.164 42.29.144.5
screenHeight 10 1050 1080
screenWidth 10 1680 1920

Scenario 3: Authentication denied with one significant attribute

The total weight of the unequal device fingerprint values that belongs to one attribute is significant enough to prohibit authentication.

The example information in the table is used to calculate the risk score.>
Attribute names Weight values Incoming device fingerprint values Registered device fingerprint values
devicePlatform 5 Android Android
geoLocation 85 51.499444, -0.1275, 10 30.283611, -97.7325, 10
screenHeight 5 800 800
screenWidth 5 480 480

Authentication can be denied if the incoming fingerprint value and registered device fingerprint value for just one attribute indicate a large enough discrepancy. In this scenario, the distance between the incoming device fingerprint value and the registered device fingerprint value is too large for authentication to be permitted.

Parent topic: Risk management overview