User Risk Management FAQs

Frequently asked questions about User Risk Management.

  • Does the user risk management feature impact existing MaaS360 workflows, policies, or compliance rules?

    User risk management is an Analytics feature that works with existing MaaS360 features. This feature does not impact or replace existing MaaS360® workflows. This feature provides security management insights that are based on risky behaviors that MaaS360 detects across all users and devices.

  • Do all risk rules work for all customers?
    While multiple predefined risk rules are available for all customers, the risk rules must meet the following prerequisites:
    • The customer must enable risk rules in the Risk Rule Configurator.
    • More MaaS360 services are enabled in the customer's environment that work with the user risk management feature. For example, the malware detection rule works only if the customer purchased the Enterprise or MTM service.
  • How frequently is a risk evaluated?

    The risk engine runs one time in every 24 hours. During this run, the risk engine evaluates existing incidents, new incidents, and updates risk scores.

  • How does a risk score change (increase or decrease)?
    The risk score increases when a new incident is detected that is already associated with an enabled, predefined risk rule.
    • User behavior-based risk rules: The risk score gradually decreases over time if a risk incident is not detected again. The risk scores increase if a user continues to re-create risky incidents.
    • Device-based risk rules: The risk score increases when a risky incident is detected. When the risky incident is resolved, the risk score returns to zero.
    Note: If you add or remove risk rules, the risk score is impacted since the risk engine now detects new incidents.
  • What happens to a risk score when risk rules are added or removed?

    When new risk rules are added (enabled), these rules are evaluated to detect incidents that might be related to new rules. This action might lead to detecting new risk incidents, which might increase risk scores. The risk rules are evaluated in the same way when any rule names under a specific rule set are enabled

    When risk rules are removed (disabled), risk incidents that were associated with those risk rules are not evaluated. Existing risk incidents that are associated with the risk rule still display in the dashboard and remain unaffected by disablement of the risk rule. These risk incidents contribute to the user's risk score until the retention period for the risk incident is complete (60 days). The risk rules are evaluated in the same way when any rule names under a specific rule set are disabled. However, in this case, the risk score is adjusted to the enabled rule name criteria if applicable else the contribution to the risk score continues until the retention period for the risk incident is complete (60 days).

  • What happens to a risk score when the risk rule severity is modified?

    When the severity of a risk rule is changed, for example, increased from Low to Medium or High or reduced from High to Medium or Low, the new severity takes effect on the next run of the risk engine. The risk incidents that are detected in subsequent risk engine runs use the new risk severity.

  • What happens when a risk incident is resolved by the user?

    When a device-based risk incident is resolved by a user, the risk score that is associated with the risk incident returns to zero. When a user behavior-based risk incident is resolved, the risk score that is associated with the incident gradually decreases over time and returns to zero. However, if the risk incident reoccurs during this time, the risk score increases instead of decreasing.

  • How does user risk management handle corporate-shared devices?

    Corporate-shared devices are excluded from risk analysis. These devices are not displayed in the Security Dashboard​.

  • How does user risk management handle inactive users or devices?

    Inactive users or devices are excluded from risk analysis. If a user or a device becomes inactive after the user risk management feature is enabled, these users and devices are still present in MaaS360, but are labeled as risky users or devices until they are deleted or removed from MaaS360.

    On the User Risk Summary page, these devices are labeled as Enrolled. However, if a device becomes inactive after the feature is enabled, the devices are removed from the Security Dashboard, which can take up to 24 hours to process.

  • Can users view their risk scores?

    The User Risk Management feature is for administrators only. Risk incidents and risk scores are only visible to the administrator. Users cannot view their risk score. The Security Dashboard allows the administrator to notify a user about risk incidents on the user's device.

  • What happens to old risk incidents that are associated with a customer account?

    On the Security Dashboard, any risk incidents that are older than 60 days are deleted from the risk analysis and removed from the system. The risk score that is associated with these risk incidents is removed from the risk score analysis.