Skip to main content
Version: Cloud

Risk calculation

You can calculate the risk score for any:

  • Resource (Resource in Omada Identity of any Resource Category - Role/Permission/Account/Software)
  • Identity

Omada Identity calculates risk scores of resources and identities based on which classification tags are associated with Systems, Resources, Resource folders, Identities and Business contexts (such as Org. units). Omada Identity only considers classification tags that belong classification category marked as "Relevant for risk calculation".

Determining risk-relevant classification tags for Identities

When Omada Identity needs to determine the effective risk-relevant classification tags of an identity it looks at the identity itself, and on the business contexts that the identity is direct and indirect member of.

Consider the following example:

An organization has three risk-relevant classification categories for employees, named category 1, 2 and 3 respectively. An employee, Paul, works in the Finance department that is part of the CFO organization (see figure below). Paul himself is classified with Category 1: Tag B.

Omada Identity considers Paul to be a direct member of Finance and indirect member of CFO Organization.

risk-classification.png

When Omada Identity computes the risk score for Paul, it needs to take into consideration all three categories. To do this, it uses the following algorithm:

  1. Omada Identity gets the value for Category 1 from Paul himself.
  2. Then, Omada Identity looks at the department level ("Finance"), which is classified Category 1: Tag A and Category 2: Tag D. It takes the value for Category 2 and ignores the value for Category 1 as it already has found one on a lower level.
  3. Now, Omada Identity looks further up in the organization and finds that Finance is located in the CFO organization, which is classified Category 3: Tag F and values for Category 1 and 2. It takes the value for Category 3 and ignores the remaining ones, as it already has values for them from the lower levels.

The result is that effectively Omada Identity considers Paul as classified as follows:

  • Category 1: Tag B
  • Category 2: Tag D
  • Category 3: Tag F

Determining risk-relevant classification tags for Resources

When Omada Identity needs to determine the effective risk-relevant classification tags of a resource, it looks at the resource itself and on the resource folder.

It considers tags assigned to the resource first and secondly it considers tags assigned to the resource folder. If no tag from a category is available on the resource itself, the risk calculation will instead consider a tag from the same category at the resource folder level, if available.

If more than one tag from the same category has been applied, the risk calculation will be based on the classification tag with the highest value.

Risk calculation formulas

The following formulas are used when Omada Identity calculates risk scores:

Calculating risk score for a classification tag

The risk score of the individual classification tag is equal to its risk value multiplied by the risk weight factor the tags category has:

RiskScore(tag) = tag’s RiskValue * tag’s category’s RiskWeight

Calculating risk score for a resource of type Permission

The risk score for a resource is calculated by adding the weighted risk score for the different assigned classification tags together, both for the resource itself as well as the system that the resource relates to.

RiskScore(permission) = RiskScore(permission’s system) + sum(max(RiskScore(permission’s tags per category)))

If resource folder has a classification tag for a category and the resource does not, then the folder value is used.

Calculating risk score for a resource of type Role

The risk score for a role, which consists of one or several resources, is equal to the highest risk score of the related resources.

RiskScore(role) = max(RiskScore(child resources)))

Calculating risk score for a calculated resource assignment

The risk score for a calculated resource assignment is the same as the risk score for the assigned resource.

RiskScore(CRA) = RiskScore(resource)

Calculating risk score for an identity

The risk score for an identity is equal to the max risk score of the assigned resources. This risk score for the identity therefore reflects the highest risk score of all assigned resources. As an example: An identity has 3 resources assigned which all have a risk score of 60, and 1 resource assigned with a risk score of 75, then the identity will have a risk score of 75.

Further to the identity risk score based on the risk scores of the assigned resources, it is also possible to further increase the identity risk score by adding classification tags directly to the identity itself, and/or related business contexts, if the risk model requires so.

The risk score for the classification tags assigned directly to the identity (and/or business contexts) will be added to the resource-based risk score.

RiskScore(identity) = max(RiskScore(CRAs))) + sum(max(RiskScore(identity’s tags per category)))

note

If a business context, whose an identity is a direct member, has a classification tag for a category and the identity does not, then the business context value is used.

If more than one business contexts have a classification tag for a category, and the identity does not, then the maximum value is used.

If neither the identity nor a business context, whose an identity is a direct member, has a classification tag for a category, but a business context whose the identity is indirectly a member, then the tag of this business context value is used.