In the area of computer security, it is often useful to perform a risk assessment. For example, a computer security system may perform a risk assessment when determining whether a user requesting access to a secure resource should be allowed to access the secure resource. In such a case, a risk assessment may generate a result indicating a level of risk that the user requesting access to the secure resource is an imposter. If the result of the risk assessment indicates a high level of risk (e.g. a high level of risk that the user is an imposter), then the security system may either deny access to the resource, provide only restricted access to the resource, or require a more rigorous authentication process be performed in order for the user to access the resource. The specific action performed by a computer security system in response to detecting a high level of risk with regard to a given request often depends on the specific security policies defined in the system.
Risk assessments may be performed based on various types of identity data that describes a user and/or the user's past behavior. In some computer security systems, risk assessments are performed automatically using a risk engine that takes as inputs various pieces of identity data about the user, and then outputs a risk score. The risk score output by a risk engine can be used within the computer security system to determine whether to grant the user's request to access a secure resource, and/or to determine whether additional authentication steps must be performed by the user as part of the request to access the secure resource.