A risk score is assigned when a rule is added to a risk policy. This risk score indicates the priority and criticality of the rule.
For example, if you have configured a set of rules, but you want one rule to be the most important rule, assign it a higher risk score compared to the other rules. If the rule evaluation is successful, the risk score is set as zero.
If a rule evaluation is not successful, the risk score is set as the value of the rule. If you have configured multiple rules, the total risk score is the sum of risk scores of all the failed rules.
Let us assume that you have created two rules to validate login requests to a financial application. You have determined that Rule 1 is the most critical rule and want users to gain access when this rule is evaluated.
Based on the risk score returned after the rule evaluation, risk level is assigned and action is taken.
Table 5-2 Risk Rules
|
Rules |
Risk Score |
If rule condition is met, then |
|---|---|---|
|
Rule 1 |
50 |
Allow access and exit policy |
|
Rule 2 |
30 |
Return risk level low |
Table 5-3 Risk Scores and Risk Levels
|
Total Risk Score |
Risk Level |
Action |
|---|---|---|
|
31-80 |
Medium |
Additional authentication must be requested. |
|
0-30 |
Low |
Allow access. |
Table 5-4 Risk Score Calculation for the Rules
|
Scenario |
Details |
Total Risk Score |
Action |
|---|---|---|---|
|
Rule 1 is successfully evaluated. |
Rule 2 is not considered for rule processing as Rule 1 is configured to exit the policy when condition is met. |
0 |
Access is allowed |
|
Rule 1 and Rule 2 fail. |
In this case, the total risk score is 80 as both the rules have failed. |
80 |
Additional authentication is requested |
You have created three rules to access login requests to a financial application. All rules’ conditions must meet to grant access to a user.
Based on the risk score returned after the rule evaluation, risk level is assigned and action is taken.
Table 5-5 Risk Rules
|
Rules |
Risk Score |
If rule condition is met, then |
|---|---|---|
|
Rule 1 |
50 |
Proceed to Next Rule |
|
Rule 2 |
30 |
Proceed to Next Rule |
|
Rule 3 |
10 |
Exit with Risk Level as...Low |
Table 5-6 Risk Scores and Risk Levels
|
Total Risk Score |
Risk Level |
Action |
|---|---|---|
|
0-30 |
Low |
Allow access |
|
31-50 |
Medium |
Additional authentication |
|
51-100 |
High |
Deny access |
Table 5-7 Risk Score Calculation for the Rules
|
Scenario |
Details |
Risk Score |
Action |
|---|---|---|---|
|
Conditions of Rule 1, Rule 2, and Rule 3 are met |
As all rules are evaluated without errors, the risk score is 0. |
0 |
Access is allowed. |
|
Conditions of Rule 1 are met, but Rule 2 and Rule 3 fail |
The risk score is the value assigned to the rule that failed. |
40 |
Additional authentication is requested. |
|
Rule 1 fails, but conditions of Rule 2 and Rule 3 are met |
The risk score is the value assigned to the rule that failed. |
50 |
Additional authentication is requested. |
|
Conditions of Rule 2 are met, but rule 1 and rule 3 fail |
The risk score is the sum of risk scores of all failed rules. |
60 |
Access is denied. |
|
Rule 2 fails, but conditions of rule 1 and rule 3 are met |
The risk score is the sum of risk scores of all failed rules. |
30 |
Access is allowed. |
|
All rules fail. |
The risk score is the sum of risk scores of all failed rules. |
90 |
Access is denied. |