Risk score calculation is the process by which
the risk engine determines a risk score. The risk score demonstrates
the level of risk that is associated with permitting a request to
access the resource. This risk score is compared to a threshold
score that is set in a policy. A decision is made based on
the result of this comparison.
Overview
The risk engine determines a risk
score by comparing sets of attributes that identify devices. These
sets of attributes are called device fingerprints. Device
fingerprint attributes include items such as IP address, location,
and screen size. Each registered device has one device fingerprint.
Because the user accesses the resource in different locations and
on different devices, the user can have many registered devices.
The
following process describes how risk assessment works:
- The incoming device requests access to the resource.
- The risk engine collects as many device fingerprint attributes
as it can from the request device.
- After the attributes are collected, the risk engine:
- Determines the device fingerprint.
- Calculates the risk score. The risk score
- Is a number.
- Represents the amount of risk that is associated with the incoming
request.
- Indicates the likelihood that the incoming request represents
the user.
- The risk engine:
- Compares the incoming fingerprint with each registered device
fingerprint.
- Uses the attributes that are contained in the larger fingerprint
for each comparison.
- Calculates a risk score for each comparison.
- To determine the final risk score, the risk engine:
- Chooses the lowest risk score of the comparisons between the incoming
fingerprint and the registered fingerprint.
- Measures the final risk score against a threshold score or range
that the administrator sets in a policy.
- Depending on the way the administrator writes the policy, one
of the following outcomes occurs:
- Permit
- The risk score for the incoming request is well below the threshold
score. The user is granted access to the resource. For example, the
risk score is 30, and the threshold score that
is set by the administrator is 40.
- Permit with obligation or authentication
- The user is asked to complete an extra security measure, such
as step up authentication. For example, the risk score is 40,
and the policy that the administrator wrote requires users that operate
devices with scores 30 - 90 to step up.
- Deny
- The risk score for the incoming request is above the threshold
score or range. The user is denied access to the resource. For example,
the risk score is 50, and the threshold score
that is set by the administrator is 40.
The risk score is calculated through the following formula:
Risk Score = (total weight of mismatched attributes /
total weight of all attributes) × 100
When the
values that belong to the incoming device fingerprint and the registered
device fingerprint are the same, the values are matched. When the
values that belong to the incoming device fingerprint and the registered
device fingerprint are not the same, the values are mismatched.
Sometimes,
the fingerprints contain attributes that are not matched or mismatched.
These attributes are called indeterminate attributes. When there are
indeterminate attributes present, the following formula is used to
calculate the risk score:
Risk Score = (total weight of mismatched attributes /
(total weight of all attributes−total weight of indeterminate attributes)) × 100
Scenarios
The following example scenarios
demonstrate risk score calculation.
All three of the scenarios
assume that the administrator
- Wrote a policy that specifies that any risk score at or below 40 is
permitted, and any risk score above 40 is denied.
- Gave equal weight values to all of the attributes in the tables.
- The attributes in the tables have the same weight value of 10.
Scenario 1: Authentication permitted
The total weight of the unequal device fingerprint values
that belongs to one attribute is not significant enough to prohibit
authentication.
The example information in the
table is used to calculate the risk score.Attribute names |
Weight values |
Incoming device fingerprint values |
Registered device fingerprint values |
colorDepth |
10 |
32 |
32 |
deviceLanguage |
10 |
en-US |
en-US |
devicePlatform |
10 |
Win32 |
Win32 |
http:userAgent |
10 |
Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:15.0) Gecko/20120427 Firefox/15.0a1 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36 |
ipAddress |
10 |
42.29.144.5 |
42.29.144.5 |
screenHeight |
10 |
1080 |
1080 |
screenWidth |
10 |
1920 |
1920 |
- All of the device fingerprint values match except for the incoming
device fingerprint value and existing device fingerprint value for http:userAgent.
- Because http:userAgent is the only attribute
that has any mismatched values, the total weight of the mismatched
attributes is 10.
- The total weight of all of the attributes is 70 because
each attribute has a weight value of 10.
- According to the risk score calculation formula: (10/70)×100=14.
Therefore, the risk score is 14.
- Because the risk score is below 40, authentication
is permitted.
Scenario 2: Authentication denied with multiple significant
attributes
The total weight of the unequal device fingerprint
values that belongs to 6 out of 7 of the attributes is significant
enough to prohibit authentication.
The example information
in the table is used to calculate the risk score.Attribute names |
Weight values |
Incoming device fingerprint values |
Registered device fingerprint values |
colorDepth |
10 |
24 |
32 |
deviceLanguage |
10 |
en-US |
en-US |
devicePlatform |
10 |
Linux |
Win32 |
http:userAgent |
10 |
Mozilla/5.0 (X11; Linux i686 (x86_64))
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36 |
ipAddress |
10 |
9.53.18.164 |
42.29.144.5 |
screenHeight |
10 |
1050 |
1080 |
screenWidth |
10 |
1680 |
1920 |
- None of the device fingerprint values match except for the incoming
device fingerprint value and existing device fingerprint value for deviceLanguage.
- Because all of the attributes except for deviceLanguage have
mismatched values, the collective weight of the mismatched attributes
is 60.
- The total weight of all of the attributes is 70 because
each attribute has a weight value of 10.
- According to the risk score calculation formula: (60/70)×100=86.
Therefore, the risk score is 86.
- Because the risk score is above 40, authentication
is denied.
Scenario 3: Authentication denied with one significant
attribute
The total weight of the unequal device fingerprint
values that belongs to one attribute is significant enough to prohibit
authentication.
The example information in the table
is used to calculate the risk score.Attribute names |
Weight values |
Incoming device fingerprint values |
Registered device fingerprint values |
devicePlatform |
5 |
Android |
Android |
geoLocation |
85 |
51.499444, -0.1275, 10 |
30.283611, -97.7325, 10 |
screenHeight |
5 |
800 |
800 |
screenWidth |
5 |
480 |
480 |
- In addition to the previous assumptions, this scenario prohibits
any distance greater than 40 kilometers.
- All of the device fingerprint values match except for the incoming
device fingerprint value and the existing device fingerprint value
for the geoLocation attribute. The geoLocation attribute
contains the values that the risk engine uses to calculate the distance
between the incoming device fingerprint and the registered device
fingerprint. In this instance, the distance between the two device
fingerprints is 7909 kilometers.
- Because the geoLocation attribute is the only
attribute with mismatched values, the weight of the mismatched attributes
is 85.
- The total weight of all of the attributes is 100 because
the geoLocation attribute has a weight value of 85. devicePlatform, screenHeight,
and screenWidth each have weight values of 5.
- According to the risk score calculation formula: (85/100)×100=85.
Therefore, the risk score is 85.
- Because the risk score is above 40, authentication
is denied.
Note: Authentication can be denied if the incoming fingerprint
value and registered device fingerprint value for just one attribute
indicate a large enough discrepancy. In this scenario, the distance
between the incoming device fingerprint value and the registered device
fingerprint value is too large for authentication to be permitted.