PingOne

Risk policies

Risk policies determine how the various risk predictors are combined and how the aggregated risk score should be translated into a final risk level of low, medium, or high. Learn more about how risk policies work in Introduction to risk policies.

You can modify the default risk policy or create additional custom risk policies of your own. After you’ve defined risk policies, you can use them as part of the integration with PingFederate or PingOne Advanced Identity Cloud or part of a flow designed with PingOne DaVinci or the PingOne API.

Learn more about building risk policies in Adding a risk policy and Integrating PingOne Protect with user journeys.

When you build and customize a risk policy, you make decisions about the following:

  • Which predictor types should be included when calculating the overall risk?

    When you create a new risk policy, it includes the following subset of the predictor types that PingOne supports:

    • Anonymous network detection

    • Geovelocity anomaly

    • IP reputation

    • IP velocity

    • New device

    • User velocity

    • User-based risk behavior

    • User location anomaly

    The scores assigned to the various predictors in the default risk policy are not uniform. The risk predictors that are not related to the detected IP are given a higher score because they are a better indication of serious risk.

    You can also create custom risk predictors that analyze data that you provide. Learn more in Adding custom predictors.

    The default risk policy includes a New Device predictor. To have this predictor included in the actual risk evaluation, your authentication flow must provide information that can be used to identify individual devices. The best way to do this is to bring the information from the PingOne Signals (Protect) SDK. Having the predictor included in the risk evaluation can also be done by providing a persistent cookie as input.

  • For each predictor type included, do you want to use the default predictor or one that you have customized?

    Learn more in Configuring predictors.

  • What method do you want to use to adjust the degree that each included predictor should be taken into account when calculating the overall risk score?

    There are two methods of combining the predictors (controlled with the switch at the top of the page):

    Weights

    Determines the relative weights that should be used when calculating the individual risk score for each predictor.

    Weights in risk policies have been deprecated for new PingOne environments but can still be used in existing environments.
    Scores

    Exercises more control over the overall calculation because you can specify an exact numerical score that should be assigned when PingOne Protect determines that there is a medium or high risk level for a predictor.

  • What specific weight or score should be assigned to each predictor included in the policy?

    This is relevant for both the weights and scores approaches, although the UI differs slightly between them.

  • How should the aggregated risk score that was calculated be translated into a final risk level?

    Controls are provided on the Risk Policies page to map the aggregated risk score to the three categories that represent the final result of the risk analysis: low, medium, and high.

  • Do you want to use overrides?

    You can define overrides that assign a specific final risk level (low, medium, or high) based on a specific criterion, regardless of what the overall calculated risk score was. For example, you can define an override that states that if a geovelocity anomaly is detected, the final risk evaluation should always be high.

    If you enter text in the Notes field for overrides, the text is returned in the risk evaluation response.

  • Do you want to use mitigations?

    You can configure mitigations in a risk policy to define custom recommended actions to be included in the risk evaluation response if a given condition is met. For example, you can configure a mitigation rule to recommend denying access if the email reputation predictor returns high risk. You must then translate the recommended action into an action in your user flow.

    If you enter text in the Notes field for mitigations, the text is returned in the risk evaluation response.

  • What type of policy should you create?

    There are two types of risk policies:

    • Global: Allows you to configure predictor scores, risk thresholds to map the scores to a risk level, and overrides or mitigations that take priority over the scores and levels. When using a global risk policy, you must choose which risk policy to pass to the risk evaluation.

    • Targeted: Allows you to choose flow types, applications, and user groups to which the risk policy will apply in addition to configuring predictor scores, risk thresholds to map the scores to a risk level, and mitigations. When using targeted policies, you can pass multiple risk policies to the risk evaluation and allow PingOne Protect to choose the applicable policy based on the defined criteria. During risk evaluations, policies are processed in the order displayed in the Targeted Policies list. Processing stops when the target criteria for a policy are met.

    Learn more in Adding a risk policy.

Best practices for risk policies

When you’re first starting out with risk policies, you should use the Risk Policy Assistant, which generates risk policies that match your organization’s needs. Based on your responses to a number of questions, it creates a new policy and assigns different scores to the various predictors to maximize the accuracy of your risk evaluations. To launch the Risk Policy Assistant, click Assistant on the Risk Policies page.

Risk Policy Assistant button alongside the Risk Policies page title