20.1 Understanding Risk Levels and Risk Scoring

Identity Governance provides risk levels to help you classify and label risk factors that matter to your organization. You can configure the number of levels, size of levels, and names of levels to make them appropriate for your organization and stakeholders. Risk scoring provides a means for manually setting or calculating risk for the entire organization as well as for catalog objects and policies.

Identity Governance administrators can customize the following risk policies:

  • Risk level configuration

  • Governance risk score

  • Application risk score

  • User risk score

  • Risk score schedule

Users with the following authorizations can manage and customize risk settings for your Identity Governance environment:

  • Customer, Global, or Data Administrator

  • Auditor (read only)

See the following sections for more details about how Identity Governance helps you manage risk in your environment:

20.1.1 Risk Levels

Identity Governance gives you the flexibility to create a risk scale of your own choosing. If your environment requires a high level of granularity, you can specify up to 10 risk levels. When you set the risk level size, Identity Governance automatically divides the risk levels in even increments and sets the maximum risk value for calculated values to the maximum value specified in your settings. You can further customize the risk levels by providing your own naming system to the levels. A color-code is assigned to each level ranging from blue at the low end to red at the high end.

20.1.2 Risk Scoring

A risk score quantifies the level of risk that an entity, such as a user or account, exposes an organization to. A higher risk score indicates that you have identified that item as riskier to your organization. You can manually set risk scores by collecting risk score attributes along with objects you collect or by using Identity Governance to assign risk scores to individual objects.

You can collect risk scores or assign risk scores to the following items:

  • Users

  • Accounts

  • Applications

  • Permissions

  • Technical roles

  • Separation of duties policies

  • Business roles

  • Certification policies

A calculated risk score is based on risk factors and the relative weighting of those factors that you define. You can configure Identity Governance to calculate the following risk scores, either on demand or on a regular schedule:

Governance (your overall system score)

Represents the current level of risk related to access and security that your organization is exposed to based on the risk factors and risk weights you have defined.

Application

Represents the current level of risk related to access and security of each application that your organization is exposed to based on the risk factors and risk weights you have defined.

User

Represents the current level of risk related to access and security for each user that your organization is exposed to based on the risk factors and risk weights you have defined.

NOTE: Objects and policies whose risk was not set are not considered in calculations. Only objects and policies with zero or greater than zero value is included in calculations. For example, if a user has two accounts with 50 and “Not set” as respective risk value, then the average Base Score calculation for Risk of accounts assigned to the user will be 50 as the second account will be ignored as its value was not set.

20.1.3 Risk Factors

Risk factors, metrics that affect a risk score, apply to specific items and can have a positive or negative impact on the item's risk score. The weight of a risk factor is the percentage of an item's risk that the factor comprises. The maximum value for any risk factor component is the maximum risk score for the item multiplied by the percentage weight of the factor. For example, an organization specifies that user risk score has a maximum value of 1000 and 3 risk factors of equal weight. Each risk factor can only account for one third of the user's risk score.

For some risk factors, Identity Governance uses either the average value or the maximum value for that factor, based on which one you select. Other risk factors use a range of values that you set. When you assign a weight to a risk factor, such as Number of unmapped accounts, Identity Governance then looks at the range you have specified. If the value of the risk factor is at or above the high range, Identity Governance applies the full weight for that risk factor to the risk score. If the value is below the high range, Identity Governance applies a percentage of the weight that is appropriate to the percentage of the high range for the value. If a risk factor value is at or below the low range, that factor does not add anything to the risk score.

You can use the following risk factors to control how Identity Governance calculates risk scores in your environment.

Governance Risk Factors

Risk Factor Type

User risk scores

Average or Max

Application risk scores

Average or Max

Account risk scores

Average or Max

Business role risk scores

Average or Max

Technical role risk scores

Average or Max

Permission risk scores

Average or Max

Number of unmapped accounts

Low to high range

Number of unauthorized assignment (permission and technical role)

Low to high range

Number of outstanding SOD violations

Low to high range

Number of expired certification violations

Low to high range

Total number of certification violations

Low to high range

Number of no decision certification violations

Low to high range

Number of not reviewed certification violations

Low to high range

Application Risk Factors

Risk Factor Type

Risk of assigned permissions in application

Average or Max

Risk of accounts in application

Average or Max

Number of unmapped accounts

Low to high range

Number of permissions in the application

Low to high range

Number of exceptions (access not authorized by policy)

Low to high range

Number of expired certification violations

Low to high range

Total number of certification violations

Low to high range

Number of no decision certification violations

Low to high range

Number of not reviewed certification violations

Low to high range

Collected application risk score attribute

Application attribute. Typically, application risk.

User Risk Factors

Risk Factor Type

Risk of permissions assigned to user

Average or Max

Risk of accounts assigned to user

Average or Max

Number of outstanding SOD violations

Low to high range

Number of exceptions (access not authorized by policy)

Low to high range

Number of permissions assigned to the user

Low to high range

Number of business roles the user is in

Low to high range

Collected user risk score attribute

Value

Number of expired certification violations

Low to high range

Total number of certification violations

Low to high range

Number of no decision certification violations

Low to high range

Number of not reviewed certification violations

Low to high range

Days past expired certification

Impact

20.1.4 Risk Score Calculation Details

Identity Governance performs separate calculations to determine an overall governance risk score and overall risk scores for each application and user.

NOTE:Large data sets can result in long calculation times. Identity Governance allows you to click Cancel to stop a risk score calculation in progress. If you have a large data set, consider scheduling risk score calculation at a time outside of normal business hours. See Section 20.4, Setting and Viewing Risk Calculation Schedules and Status.

The calculations use the following variables:

  • RFV: raw risk factor value

  • LL: lower boundary (typically 0)

  • UL: upper boundary (100)

  • URL: upper risk level value from risk level configuration

  • FW: factor weight as a percentage

  • RRFV: ranged risk factor value

  • RIS: raw impact score. This is set to the impact value of the first interval range that matches the RFV.

  • NPA: number of assigned permissions

Calculations include the following scores:

  • FRS: factor risk score

  • RS: overall entity risk score calculated as sum of all configured risk factor scores for the specific entity with FW > 0

Count risk factor score

FRS = RRFV * FW/100 where:

  • RRFV = URL if (RFV - LL) > 0 is true and (RFV - UL) >= 0 is true

  • RRFV = 0 if (RFV - LL) > 0 is false

  • RRFV = RFV*URL/(UL-LL) if (RFV - LL) > 0 is true and (RFV - UL) >= 0 is false

Example

When:

  • RFV is equal to NPA

  • LL = 0

  • UL = 50

  • URL = 500

  • FW = 100

Then:

  • For NPA = 15, RFV = 15 and 15 - 0 > 0 is true and 15 - 50 >=0 is false; RRFV = 15*500/(50-0) = 150 and FRS = 150*100/100 = 150

  • For NPA = 50, RFV = 50, and 50 - 0 > 0 is true and 50- 50 >=0 is true; RRFV = 500 and FRS = 500*100/100 = FRS = 500

  • For NPA = 0, RFV = 0, and 0 - 0 > 0 is false; RRFV = 0 and FRS = 0*100/100 = 0

Aggregate risk factor score

FRS = RFV * FW/100

Interval based impact risk factor score

NOTE:This score is supported only for the overdue violations risk factor.

FRS=RIS * FW/100

Example

User has the following types of certification policy violations:

  • No decision violation - 1

  • Overdue 5 days violation - 1

  • Overdue 15 days violation - 2

  • Overdue 100 days violation - 3

Interval is configured as:

  • Impact 200 for violations overdue 1 to 100 days

  • Impact 400 for violations overdue over 101 days

FW is set to 100.

Based on the above conditions:

  • RFV will be set to 100 because the certification policy violations max number of days overdue is 100

  • RIS will be set as 200 because RFV = 100 is within the first interval range

  • FRS = 200*100/100 = 200

Overall entity risk score

RS = SUM(FRS) where FW > 0

Keep in mind the following notes about raw score values:

  • For average or max risk factor types, the raw score will be set to either the average or maximum value of all values for a specific calculation. For example, if the administrator has configured that the risk of permissions assigned to users be averaged, Identity Governance averages the permission risk values for each user in the catalog and reports this number as the raw score.

  • For low to high range risk factor types, the raw score will be the value for a specific measure. For example, for the Number of outstanding SOD violations risk factor, the base score will be equal to the total number of outstanding SoD violations.

  • For value risk factor types, the raw score will be set to a value. For Collected user risk score attribute factor it will be set to the value of the user attribute configured in the risk factor. For the Risk attribute it will be set to the collected risk value. For any other attribute, it will be set to the collected or curated value at calculation time.

  • For impact risk factor types, the raw score will be set to a number of days.

Keep in mind the following notes about ranged scores:

  • For low to high range risk factor types, the ranged score will depend on upper and low boundaries configured for a factor. The upper boundary is the value at which risk is maximal. Risk level has a boundary and factors have a boundary.

    The calculation compares the value to the upper bound to scale it. If the value is at or above the bound, it will apply the full weight to the target raw risk score. If the value is below the upper bound, it will determine the percentage of the upper bound (max risk) that the raw score represents and use that to determine the range to apply.

    The lower bound indicates that this factor is below threshold and should not have any effect on the risk score.

  • For impact risk factor types, the raw score will be evaluated against the configured interval and proper impact will be determined.

20.1.5 Visualizing Risk

Identity Governance provides several ways you can visualize the risk factors in your environment. In most areas, you can also drill down to details that show you more context for how Identity Governance has assessed the risk.

  • As a separate tab on User and Application details pages

  • As a governance risk score, and trend graph if multiple scores exist, displayed on the Overview page

  • As a governance risk score and context information on the Risk policy administration page

Identity Governance assigns a color code to each risk level ranging from blue at the low end to red at the high end. These colors display with risk scores to help you further understand how the score fits into your customized risk level ranges.