A risk score is assigned when a rule is added to a risk policy. This risk score indicates the priority and criticality of the rule.
For example, if you have configured a set of rules, but you want one rule to be the most important rule, assign it a higher risk score compared to the other rules. If the rule evaluation is successful, the risk score is set as zero.
If a rule evaluation is not successful, the risk score is set as the value of the rule. If you have configured multiple rules, the total risk score is the sum of risk scores of all the failed rules.
Let us assume that you have created two rules to validate login requests to a financial application. You have determined that Rule 1 is the most critical rule and want users to gain access when this rule is evaluated.
Table 4-6 Risk Rules
|
Rules |
Risk Score |
If rule condition is met, then |
|---|---|---|
|
Rule 1 |
50 |
Allow access and exit policy |
|
Rule 2 |
30 |
Return risk level low |
Depending on the risk score returned after evaluation of rule, risk level is assigned and action is taken.
Table 4-7 Risk Scores and Risk Levels
|
Total Risk Score |
Risk Level |
Action |
|---|---|---|
|
31-80 |
Medium |
Additional authentication must be requested. |
|
0-30 |
Low |
Allow access. |
The following table describes how the rules are evaluated:
Table 4-8 Risk Score Calculation for the Rules
|
Scenario |
Details |
Total Risk Score |
Action |
|---|---|---|---|
|
Rule 1 is successfully evaluated. |
Rule 2 is not considered for rule processing as Rule 1 is configured to exit the policy when condition is met. |
0 |
Access is allowed. |
|
Rule 1 and Rule 2 fail. |
In this case, the total risk score is 80 as both the rules have failed. |
80 |
Additional authentication is requested. |
You have created three rules to access login requests to a financial application. All the rules must evaluate successfully to grant access to the user.
Table 4-9 Risk Rules
|
Rules |
Risk Score |
If rule condition is met, then |
|---|---|---|
|
Rule 1 |
50 |
Proceed to Next Rule |
|
Rule 2 |
30 |
Proceed to Next Rule |
|
Rule 3 |
10 |
Exit with Risk Level as...Low |
Depending on the risk score returned after evaluation of rule, risk level is assigned and action is taken.
Table 4-10 Risk Scores and Risk Levels
|
Total Risk Score |
Risk Level |
Action |
|---|---|---|
|
0-30 |
Low |
Allow access |
|
31-50 |
Medium |
Additional authentication |
|
51-100 |
High |
Deny access |
The following table describes how the rules are evaluated:
Table 4-11 Risk Score Calculation for the Rules
|
Scenario |
Details |
Total Risk Score |
Action |
|---|---|---|---|
|
Rule 1, Rule 2, and Rule 3 are successfully evaluated. |
As all the rules are evaluated without errors, the risk score is 0. |
0 |
Access is allowed. |
|
Rule 1 evaluates successfully, but Rule 2 and Rule 3 fail. |
The risk score is the value assigned to the rule that failed. In this case, the risk score is 40. |
40 |
Additional authentication is requested. |
|
Rule 1 fails, but Rule 2 and Rule 3 evaluate successfully. |
The risk score is the value assigned to the rule that failed. In this case, the risk score is 50. |
50 |
Additional authentication is requested. |
|
Rule 2 evaluates successfully, but rule 1 and rule 3 fail. |
The risk score is the sum of risk scores of all failed rules. In this case, the risk score is 60. |
60 |
Access is denied. |
|
Rule 2 fails, but rule 1 and rule 3 evaluate successfully. |
The risk score is the sum of risk scores of all failed rules. In this case, the risk score is 30. |
30 |
Access is allowed. |
|
All the rules fail. |
The risk score is the sum of risk scores of all failed rules. In this case, the risk score is 90. |
90 |
Access is denied. |