Risk score calculation

Risk score calculation is the process by which the risk engine determines a risk score. The risk score demonstrates the level of risk that is associated with permitting a request to access the resource. This risk score is compared to a threshold score that is set in a policy. A decision is made based on the result of this comparison.

Overview

The risk engine determines a risk score by comparing sets of attributes that identify devices. These sets of attributes are called device fingerprints. Device fingerprint attributes include items such as IP address, location, and screen size. Each registered device has one device fingerprint. Because the user accesses the resource in different locations and on different devices, the user can have many registered devices.

The following process describes how risk assessment works:
  1. The incoming device requests access to the resource.
  2. The risk engine collects as many device fingerprint attributes as it can from the request device.
  3. After the attributes are collected, the risk engine:
    • Determines the device fingerprint.
    • Calculates the risk score. The risk score
      • Is a number.
      • Represents the amount of risk that is associated with the incoming request.
      • Indicates the likelihood that the incoming request represents the user.
  4. The risk engine:
    • Compares the incoming fingerprint with each registered device fingerprint.
    • Uses the attributes that are contained in the larger fingerprint for each comparison.
    • Calculates a risk score for each comparison.
  5. To determine the final risk score, the risk engine:
    • Chooses the lowest risk score of the comparisons between the incoming fingerprint and the registered fingerprint.
    • Measures the final risk score against a threshold score or range that the administrator sets in a policy.
  6. Depending on the way the administrator writes the policy, one of the following outcomes occurs:
    Permit
    The risk score for the incoming request is well below the threshold score. The user is granted access to the resource. For example, the risk score is 30, and the threshold score that is set by the administrator is 40.
    Permit with obligation or authentication
    The user is asked to complete an extra security measure, such as step up authentication. For example, the risk score is 40, and the policy that the administrator wrote requires users that operate devices with scores 30 - 90 to step up.
    Deny
    The risk score for the incoming request is above the threshold score or range. The user is denied access to the resource. For example, the risk score is 50, and the threshold score that is set by the administrator is 40.
The risk score is calculated through the following formula:
Risk Score = (total weight of mismatched attributes / 
total weight of all attributes) × 100

When the values that belong to the incoming device fingerprint and the registered device fingerprint are the same, the values are matched. When the values that belong to the incoming device fingerprint and the registered device fingerprint are not the same, the values are mismatched.

Sometimes, the fingerprints contain attributes that are not matched or mismatched. These attributes are called indeterminate attributes. When there are indeterminate attributes present, the following formula is used to calculate the risk score:
Risk Score = (total weight of mismatched attributes / 
(total weight of all attributes−total weight of indeterminate attributes)) × 100

Scenarios

The following example scenarios demonstrate risk score calculation.

All three of the scenarios assume that the administrator
  • Wrote a policy that specifies that any risk score at or below 40 is permitted, and any risk score above 40 is denied.
  • Gave equal weight values to all of the attributes in the tables.
    • The attributes in the tables have the same weight value of 10.

Scenario 1: Authentication permitted

The total weight of the unequal device fingerprint values that belongs to one attribute is not significant enough to prohibit authentication.

The example information in the table is used to calculate the risk score.
Attribute names Weight values Incoming device fingerprint values Registered device fingerprint values
colorDepth 10 32 32
deviceLanguage 10 en-US en-US
devicePlatform 10 Win32 Win32
http:userAgent 10 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36
ipAddress 10 42.29.144.5 42.29.144.5
screenHeight 10 1080 1080
screenWidth 10 1920 1920

Scenario 2: Authentication denied with multiple significant attributes

The total weight of the unequal device fingerprint values that belongs to 6 out of 7 of the attributes is significant enough to prohibit authentication.

The example information in the table is used to calculate the risk score.
Attribute names Weight values Incoming device fingerprint values Registered device fingerprint values
colorDepth 10 24 32
deviceLanguage 10 en-US en-US
devicePlatform 10 Linux Win32
http:userAgent 10 Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36
ipAddress 10 9.53.18.164 42.29.144.5
screenHeight 10 1050 1080
screenWidth 10 1680 1920

  • None of the device fingerprint values match except for the incoming device fingerprint value and existing device fingerprint value for deviceLanguage.
  • Because all of the attributes except for deviceLanguage have mismatched values, the collective weight of the mismatched attributes is 60.
  • The total weight of all of the attributes is 70 because each attribute has a weight value of 10.
  • According to the risk score calculation formula: (60/70)×100=86. Therefore, the risk score is 86.
  • Because the risk score is above 40, authentication is denied.

Scenario 3: Authentication denied with one significant attribute

The total weight of the unequal device fingerprint values that belongs to one attribute is significant enough to prohibit authentication.

The example information in the table is used to calculate the risk score.
Attribute names Weight values Incoming device fingerprint values Registered device fingerprint values
devicePlatform 5 Android Android
geoLocation 85 51.499444, -0.1275, 10 30.283611, -97.7325, 10
screenHeight 5 800 800
screenWidth 5 480 480

  • In addition to the previous assumptions, this scenario prohibits any distance greater than 40 kilometers.
  • All of the device fingerprint values match except for the incoming device fingerprint value and the existing device fingerprint value for the geoLocation attribute. The geoLocation attribute contains the values that the risk engine uses to calculate the distance between the incoming device fingerprint and the registered device fingerprint. In this instance, the distance between the two device fingerprints is 7909 kilometers.
  • Because the geoLocation attribute is the only attribute with mismatched values, the weight of the mismatched attributes is 85.
  • The total weight of all of the attributes is 100 because the geoLocation attribute has a weight value of 85. devicePlatform, screenHeight, and screenWidth each have weight values of 5.
  • According to the risk score calculation formula: (85/100)×100=85. Therefore, the risk score is 85.
  • Because the risk score is above 40, authentication is denied.
Note: Authentication can be denied if the incoming fingerprint value and registered device fingerprint value for just one attribute indicate a large enough discrepancy. In this scenario, the distance between the incoming device fingerprint value and the registered device fingerprint value is too large for authentication to be permitted.
Parent topic: Risk management overview