Risk score calculation

Edit online

Risk score calculation is the process by which the risk engine determines a risk score. The risk score demonstrates the level of risk that is associated with permitting a request to access the resource. This risk score is compared to a threshold score that is set in a policy. A decision is made based on the result of this comparison.

Overview

The risk engine determines a risk score by comparing sets of attributes that identify devices. These sets of attributes are called device fingerprints. Device fingerprint attributes include items such as IP address, location, and screen size. Each registered device has one device fingerprint. Because the user accesses the resource in different locations and on different devices, the user can have many registered devices.

The following process describes how risk assessment works:

The incoming device requests access to the resource.
The risk engine collects as many device fingerprint attributes as it can from the request device.
After the attributes are collected, the risk engine:
- Determines the device fingerprint.
- Calculates the risk score. The risk score
  - Is a number.
  - Represents the amount of risk that is associated with the incoming request.
  - Indicates the likelihood that the incoming request represents the user.
The risk engine:
- Compares the incoming fingerprint with each registered device fingerprint.
- Uses the attributes that are contained in the larger fingerprint for each comparison.
- Calculates a risk score for each comparison.
To determine the final risk score, the risk engine:
- Chooses the lowest risk score of the comparisons between the incoming fingerprint and the registered fingerprint.
- Measures the final risk score against a threshold score or range that the administrator sets in a policy.
Depending on the way the administrator writes the policy, one of the following outcomes occurs:

Permit

The risk score for the incoming request is well below the threshold score. The user is granted access to the resource. For example, the risk score is 30, and the threshold score that is set by the administrator is 40.

Permit with obligation or authentication

The user is asked to complete an extra security measure, such as step up authentication. For example, the risk score is 40, and the policy that the administrator wrote requires users that operate devices with scores 30 - 90 to step up.

Deny

The risk score for the incoming request is above the threshold score or range. The user is denied access to the resource. For example, the risk score is 50, and the threshold score that is set by the administrator is 40.

The risk score is calculated through the following formula:

Risk Score = (total weight of mismatched attributes / 
total weight of all attributes) × 100

When the values that belong to the incoming device fingerprint and the registered device fingerprint are the same, the values are matched. When the values that belong to the incoming device fingerprint and the registered device fingerprint are not the same, the values are mismatched.

Sometimes, the fingerprints contain attributes that are not matched or mismatched. These attributes are called indeterminate attributes. When there are indeterminate attributes present, the following formula is used to calculate the risk score:

Risk Score = (total weight of mismatched attributes / 
(total weight of all attributes−total weight of indeterminate attributes)) × 100

Scenarios

The following example scenarios demonstrate risk score calculation.

All three of the scenarios assume that the administrator

Wrote a policy that specifies that any risk score at or below 40 is permitted, and any risk score above 40 is denied.
Gave equal weight values to all of the attributes in the tables.
- The attributes in the tables have the same weight value of 10.

Scenario 1: Authentication permitted

The total weight of the unequal device fingerprint values that belongs to one attribute is not significant enough to prohibit authentication.

The example information in the table is used to calculate the risk score.

Attribute names	Weight values	Incoming device fingerprint values	Registered device fingerprint values
`colorDepth`	`10`	`32`	`32`
`deviceLanguage`	`10`	`en-US`	`en-US`
`devicePlatform`	`10`	`Win32`	`Win32`
`http:userAgent`	`10`	`Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120427 Firefox/15.0a1`	`Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36`
`ipAddress`	`10`	`42.29.144.5`	`42.29.144.5`
`screenHeight`	`10`	`1080`	`1080`
`screenWidth`	`10`	`1920`	`1920`

All of the device fingerprint values match except for the incoming device fingerprint value and existing device fingerprint value for http:userAgent.
Because http:userAgent is the only attribute that has any mismatched values, the total weight of the mismatched attributes is 10.
The total weight of all of the attributes is 70 because each attribute has a weight value of 10.
According to the risk score calculation formula: (10/70)×100=14. Therefore, the risk score is 14.
Because the risk score is below 40, authentication is permitted.

Scenario 2: Authentication denied with multiple significant attributes

The total weight of the unequal device fingerprint values that belongs to 6 out of 7 of the attributes is significant enough to prohibit authentication.

The example information in the table is used to calculate the risk score.

Attribute names	Weight values	Incoming device fingerprint values	Registered device fingerprint values
`colorDepth`	`10`	`24`	`32`
`deviceLanguage`	`10`	`en-US`	`en-US`
`devicePlatform`	`10`	`Linux`	`Win32`
`http:userAgent`	`10`	`Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36`	`Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36`
`ipAddress`	`10`	`9.53.18.164`	`42.29.144.5`
`screenHeight`	`10`	`1050`	`1080`
`screenWidth`	`10`	`1680`	`1920`

None of the device fingerprint values match except for the incoming device fingerprint value and existing device fingerprint value for deviceLanguage.
Because all of the attributes except for deviceLanguage have mismatched values, the collective weight of the mismatched attributes is 60.
The total weight of all of the attributes is 70 because each attribute has a weight value of 10.
According to the risk score calculation formula: (60/70)×100=86. Therefore, the risk score is 86.
Because the risk score is above 40, authentication is denied.

Scenario 3: Authentication denied with one significant attribute

The total weight of the unequal device fingerprint values that belongs to one attribute is significant enough to prohibit authentication.

The example information in the table is used to calculate the risk score.

Attribute names	Weight values	Incoming device fingerprint values	Registered device fingerprint values
`devicePlatform`	`5`	`Android`	`Android`
`geoLocation`	`85`	`51.499444, -0.1275, 10`	`30.283611, -97.7325, 10`
`screenHeight`	`5`	`800`	`800`
`screenWidth`	`5`	`480`	`480`

In addition to the previous assumptions, this scenario prohibits any distance greater than 40 kilometers.
All of the device fingerprint values match except for the incoming device fingerprint value and the existing device fingerprint value for the geoLocation attribute. The geoLocation attribute contains the values that the risk engine uses to calculate the distance between the incoming device fingerprint and the registered device fingerprint. In this instance, the distance between the two device fingerprints is 7909 kilometers.
Because the geoLocation attribute is the only attribute with mismatched values, the weight of the mismatched attributes is 85.
The total weight of all of the attributes is 100 because the geoLocation attribute has a weight value of 85. devicePlatform, screenHeight, and screenWidth each have weight values of 5.
According to the risk score calculation formula: (85/100)×100=85. Therefore, the risk score is 85.
Because the risk score is above 40, authentication is denied.

Note: Authentication can be denied if the incoming fingerprint value and registered device fingerprint value for just one attribute indicate a large enough discrepancy. In this scenario, the distance between the incoming device fingerprint value and the registered device fingerprint value is too large for authentication to be permitted.