The risk policy looks at the risk level estimated for each of the predictors and then yields an overall risk level of Low, Medium, or High. When you define a user journey with the tools provided by Ping Identity, you decide which of your defined risk policies you would like to associate with that flow. For some situations, you might need to use a stricter risk policy, while for others, you might use a more lenient risk policy.
The default risk policy
When you add the PingOne Protect service to a PingOne environment, it includes a default risk policy. This is the recommended policy for your initial testing of risk evaluations.
The default risk policy has the following characteristics:
- It uses the Scores approach, which gives you a higher degree of control than the Weights approach.
- It includes all of the out-of-the-box predictors, except User Risk Behavior (organization-wide behavior).
- It assigns a score of 50 for High risk for some of the predictors and a score of 75 for High risk for the remaining predictors. This is based on the premise that the IP-related predictors are less indicative of risky situations than the other predictors.
The risk level for each predictor type is calculated separately. Most predictor types require training and learn from successful events. You can also configure a fallback value for most predictor types to use if there is insufficient information to calculate a risk level.
For more information, see Predictors.
You can also create custom predictors that leverage external or processed data. See Adding custom predictors.
Staging policies allow you to fine tune and test risk policy changes before releasing changes to your production policy and does not affect your end users until you promote a staging policy to production.
For more information on creating and managing staging policies, see Creating and managing staging policies.
Custom risk policies
Customize risk policies only after you’ve accumulated sufficient authentication data and analyzed it.
Use the Risk Policies page in PingOne to modify the default risk policy or create additional risk policies of your own. For more information, see Risk policies.