A risk engine is a tool used by an application to perform adaptive authorization to control access to the application. A risk engine employs a risk policy to customize authorization requirements to minimize the risk that a malicious user may gain access to the application.
When a user attempts to access an application which uses a risk engine, the application requests that the risk engine evaluate the attempt against the applicable risk policy to determine the risk of allowing the user to access the application. In some cases, this evaluation involves generating a risk score by combining scores of a number of conditions. For example, a risk engine could generate a risk score by combining a score generated based on a time when the access is attempted, a score generated based on an IP address from which the access is attempted, and a score generated based on a location from which the attempt originates. The risk engine can then return the risk score to the application to allow the application to decide whether to allow the access.
In some cases, an access manager, of which the risk engine may be a part, may be employed to manage a number of applications. In such cases, the access manager, rather than the application, may interface with the risk engine. For example, the access manager may be configured to receive a user's request to access an application and may employ the risk engine to evaluate the access request including determining whether to grant the access based on a risk score returned by the risk engine.
In either case, in such prior art systems, the risk score that is generated by the risk engine does not always adequately reflect the actual risk of the access attempt. Such prior art systems, and the risk score methodologies they employ, are also not intuitive, making it more difficult for administrators to properly configure their applications (including an access manager) to use the risk score. The present invention is therefore directed to a new and intuitive methodology for combining a set of risk factors to produce a total risk score that more accurately reflects this actual risk.