Risk policies determine how the various risk predictors are combined, and how the aggregated risk score should be translated into a final risk level of Low, Medium, or High.
You can modify the default risk policy or create additional custom risk policies of your own. After you have defined risk policies, you can use them as part of the integration with PingFederate, part of a flow designed with PingOne DaVinci, or part of a user journey built with the PingOne API.
Build risk policies on the Risk Policies page, which you can access from the Threat Protection menu.
When you build and customize a risk policy, you make decisions about the following:
- Which predictor types should be included when calculating the overall risk?
When you create a new risk policy, it includes the following subset of the predictor types that PingOne supports:
- Anonymous network detection
- Geovelocity anomaly
- IP reputation
- IP velocity
- New device
- User velocity
- User-based risk behavior (UEBA - individual user)
- User location anomaly
The scores assigned to the various predictors in the default risk policy are not uniform. The risk predictors that are not related to the detected IP are given a higher score because they are a better indication of serious risk.
You can also create custom risk predictors that analyze data that you provide. For more information, see Adding custom predictors.
Note:The default risk policy includes a New Device predictor. To have this predictor included in the actual risk evaluation, your authentication flow must provide information that can be used to identify individual devices. The best way to do this is to bring the information from the PingOne Signals (Protect) SDK. Having the predictor included in the risk evaluation can also be done by providing a persistent cookie as input.
- For each predictor type included, do you want to use the default predictor or one
that you have customized?
Customize predictors on the Predictors page.
- What method do you want to use to adjust the degree that each included predictor
should be taken into account when calculating the overall risk score?
There are two methods of combining the predictors (controlled with the switch at the top of the page):
- Weights
- Determines the relative weights that should be used when calculating the
individual risk score for each predictor.Important:
Weights in risk policies have been deprecated for new PingOne environments but can still be used in existing environments.
- Scores
- Exercises more control over the overall calculation because you can specify an exact numerical score that should be assigned when PingOne Protect determines that there is a medium or high-risk level for a predictor.
- What specific weight or score should be assigned to each predictor included in the
policy?
This is relevant for both the weights and scores approaches, although the UI differs slightly between them.
- How should the aggregated risk score that was calculated be translated into a final
risk level?
Controls are provided on the Risk Policies page to map the aggregated risk score to the three categories that represent the final result of the risk analysis: low, medium, and high.
- Do you want to use overrides?
You can define overrides that assign a specific final risk level (low, medium, or high) based on a specific criterion, regardless of what the overall calculated risk score was. For example, you can define an override that states that if a geovelocity anomaly is detected, the final risk evaluation should be High, regardless of what the overall risk calculation score is.
Note:If you enter text in the Note field for overrides, the text is returned in the API response.
Best practices for risk policies
When you are first starting out with risk policies, it is recommended that you take advantage of the Risk Policy Assistant, which generates risk policies that match your organization's needs. On the basis of your responses to a number of basic questions, the assistant creates a new policy and assigns different scores to the various predictors to maximize the accuracy of your risk evaluations. To launch the Risk Policy Assistant, click the Assistant button.
