Risk score calculation
Risk score calculation is the process by which the risk engine determines a risk score. The risk score demonstrates the level of risk associated with permitting a request to access the resource. This risk score is compared to a threshold score set in a policy. A decision is made based on the result of this comparison.
Overview
The risk engine determines a risk score by comparing sets of attributes that identify devices. These sets of attributes are called device fingerprints. Device fingerprint attributes include items such as IP address, location, and screen size. Each registered device has one device fingerprint. Because the user accesses the resource in different locations and on different devices, the user can have many registered devices. The following process describes how risk assessment works:
- The incoming device requests access to the resource.
- The risk engine collects as many device fingerprint attributes as it can from the request device.
- After the attributes are collected, the risk engine:
- Determines the device fingerprint.
- Calculates the risk score. The risk score
- Is a number.
- Represents the amount of risk associated with the incoming request.
- The likelihood the incoming request represents the user.
- The risk engine:
- Compares the incoming fingerprint with each registered device fingerprint.
- Uses the attributes contained in the larger fingerprint for each comparison.
- Calculates a risk score for each comparison.
- To determine the final risk score, the risk engine:
- Chooses the lowest risk score of the comparisons between the incoming fingerprint and the registered fingerprint.
- Measures the final risk score against a threshold score or range the administrator sets in a policy.
- Depending on the way the administrator writes the policy, one of the following outcomes occurs:
- Permit
- The risk score for the incoming request is well below the threshold score. The user is granted access to the resource. For example, the risk score is 30, and the threshold score that is set by the administrator is 40.
- Permit with obligation or authentication
- The user is asked to complete an extra security measure, such as step up authentication. For example, the risk score is 40, and the policy the administrator wrote requires users that operate devices with scores 30 - 90 to step up.
- Deny
- The risk score for the incoming request is above the threshold score or range. The user is denied access to the resource. For example, the risk score is 50, and the threshold score set by the administrator is 40.
The risk score is calculated through the following formula:
Risk Score = (total weight of mismatched attributes / total weight of all attributes) × 100
When the values that belong to the incoming device fingerprint and the registered device fingerprint are the same, the values are matched. When the values that belong to the incoming device fingerprint and the registered device fingerprint are not the same, the values are mismatched. Sometimes, the fingerprints contain attributes that are not matched or mismatched. These attributes are called indeterminate attributes. When there are indeterminate attributes present, the following formula is used to calculate the risk score:
Risk Score = (total weight of mismatched attributes / (total weight of all attributes−total weight of indeterminate attributes)) × 100
Scenarios
The following example scenarios demonstrate risk score calculation. All three of the scenarios assume the administrator
- Wrote a policy that specifies that any risk score at or below 40 is permitted, and any risk score above 40 is denied.
- Gave equal weight values to all of the attributes in the tables.
- The attributes in the tables have the same weight value of 10.
Scenario 1: Authentication permitted
The total weight of the unequal device fingerprint values that belongs to one attribute is not significant enough to prohibit authentication.
The example information in the table is used to calculate the risk score.>
Attribute names Weight values Incoming device fingerprint values Registered device fingerprint values colorDepth 10 32 32 deviceLanguage 10 en-US en-US devicePlatform 10 Win32 Win32 http:userAgent 10 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36 ipAddress 10 42.29.144.5 42.29.144.5 screenHeight 10 1080 1080 screenWidth 10 1920 1920
- All of the device fingerprint values match except for the incoming device fingerprint value and existing device fingerprint value for http:userAgent.
- Because http:userAgent is the only attribute that has any mismatched values, the total weight of the mismatched attributes is 10.
- The total weight of all of the attributes is 70 because each attribute has a weight value of 10.
- According to the risk score calculation formula: (10/70)×100=14. Therefore, the risk score is 14.
- Because the risk score is below 40, authentication is permitted.
Scenario 2: Authentication denied with multiple significant attributes
The total weight of the unequal device fingerprint values that belongs to 6 out of 7 of the attributes is significant enough to prohibit authentication.
The example information in the table is used to calculate the risk score.>
Attribute names Weight values Incoming device fingerprint values Registered device fingerprint values colorDepth 10 24 32 deviceLanguage 10 en-US en-US devicePlatform 10 Linux Win32 http:userAgent 10 Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36 ipAddress 10 9.53.18.164 42.29.144.5 screenHeight 10 1050 1080 screenWidth 10 1680 1920
- None of the device fingerprint values match except for the incoming device fingerprint value and existing device fingerprint value for deviceLanguage.
- Because all of the attributes except for deviceLanguage have mismatched values, the collective weight of the mismatched attributes is 60.
- The total weight of all of the attributes is 70 because each attribute has a weight value of 10.
- According to the risk score calculation formula: (60/70)×100=86. Therefore, the risk score is 86.
- Because the risk score is above 40, authentication is denied.
Scenario 3: Authentication denied with one significant attribute
The total weight of the unequal device fingerprint values that belongs to one attribute is significant enough to prohibit authentication.
The example information in the table is used to calculate the risk score.>
Attribute names Weight values Incoming device fingerprint values Registered device fingerprint values devicePlatform 5 Android Android geoLocation 85 51.499444, -0.1275, 10 30.283611, -97.7325, 10 screenHeight 5 800 800 screenWidth 5 480 480
- In addition to the previous assumptions, this scenario prohibits any distance greater than 40 kilometers.
- All of the device fingerprint values match except for the incoming device fingerprint value and the existing device fingerprint value for the geoLocation attribute. The geoLocation attribute contains the values the risk engine uses to calculate the distance between the incoming device fingerprint and the registered device fingerprint. In this instance, the distance between the two device fingerprints is 7909 kilometers.
- Because the geoLocation attribute is the only attribute with mismatched values, the weight of the mismatched attributes is 85.
- The total weight of all of the attributes is 100 because the geoLocation attribute has a weight value of 85. devicePlatform, screenHeight, and screenWidth each have weight values of 5.
- According to the risk score calculation formula: (85/100)×100=85. Therefore, the risk score is 85.
- Because the risk score is above 40, authentication is denied.
Authentication can be denied if the incoming fingerprint value and registered device fingerprint value for just one attribute indicate a large enough discrepancy. In this scenario, the distance between the incoming device fingerprint value and the registered device fingerprint value is too large for authentication to be permitted.
Parent topic: Risk management overview