Home » Risk Scoring: What it is and How to Enable it

Risk Scoring: What it is and How to Enable it

What is risk scoring?

risk scoring

The process of calculating a number, or score, to help determine the risk level of a user, device, or entity in the presence of risk factors is called risk scoring. The approach of using a risk-based score helps businesses capture more information about users than they can do with the traditional KYC methods.

A risk scoring system generally has two components, namely: vulnerability characterization and the effect on business operations. It enables businesses to continuously review and monitor consumer activity to assign new risk scores when consumer behavior evolves with changing business dynamics. 

Types of risk scores

Risk scores are broadly classified into two types as described below:

  • Internal Risk Scores: The scores assigned refer assessment of risks emanating from within the company are called internal risk scores. Often, they are difficult to score as internal risks are usually not identified. Some of the most common internal risks include inadvertent human errors that may cause data leaks, poorly defined roles and responsibilities that result in no accountability, damage and loss of business assets.
  • External Risk Scores: Scores assigned to risks emanating externally to the organization are termed external risk scores. External risks can be potentially everything that can threaten business operations. Businesses assess these risks to deploy adequate safety measures in order to protect business and consumer interests. Some of the common external risks include cyberattacks, dynamic economic environment, and natural disasters, among others.

Calculating risk score

Risk identification and risk analysis are two steps before getting down to calculate risk scores. Let us look at each of these components a bit more closely:

  1. Risk Identification: Risk identification is an ongoing process that begins at the point of entry and continues through the consumer lifecycle. While assessing risks, it is possible that some risks are easy to identify (known risks) while there are some that will need much more effort to uncover.
  2. Risk Analysis: The next step after risk assessment is to analyze the identified risks and understand the threats they pose to the business. Risk analysis enables businesses to calculate the probability of a threat and its likely impact. These insights inform the decision-making on deploying appropriate countermeasures to mitigate the risks.

Finally, the risk score is calculated by multiplying the risk impact rating with risk probability. However, for dynamic risks, such as Test Case Weight, the assessment score is a function of predefined settings and does not get influenced by the current impact.

Here is a high-level illustration of how a risk score is defined.

Detection Anomaly Velocity Risk Classification
1 anomaly detected Low Low
  Medium Medium
  High High
2 anomalies detected Low Medium
  Medium, High High
3 anomalies detected Low, Medium, High High


The need for risk scores

Accurate risk scoring is critical to an efficient risk management system as it allows anomaly detection, helps identify risks, and prevent possible operational and reputational damage to the business. 

Attackers are improving their attack tactics every single day. To keep up with this evolution of attacks, businesses need advanced detection capabilities. They need ways to evaluate incoming traffic and signals in multiple ways so they can accurately identify various attack vectors. It is possible that a session has multiple attack vectors leading it to be categorized as high risk. When minor anomalies are detected, the session may be categorized as medium risk.

This categorization of risk scores helps eliminate some of the complexity of the detection process as well as apply a response strategy that is proportional to the risk associated. Accurate risk scores help businesses build defense systems that not only help protect the business from multiple threats but also minimize the damage to consumers’ account security in case of an adverse incident.


Risk scoring is the process of calculating a score that helps determine the risk level of a user in the presence of risk factors.

The key components while calculating risk score are risk identification and risk analysis.

Risk scoring is needed to identify and mitigate risks that have the potential to damage operations and the reputation of a business.

Global brands trust Arkose Labs in their fight against fraud and online abuse. Arkose Labs uses a risk score model that takes into consideration the risk associated with the anomaly as well as the velocity at which it is encountered. Depending on the method contributing to the risk score, we further categorize the anomalous traffic as standard bots, advanced bots, click farms and malicious humans.

We assign a default contributing score between 0 and 100 to the current and future detection methods. For instance, a request coming from an IP address that is known to be a proxy service or a VPN will be flagged. Since privacy-conscious consumers use proxy and VPN services, it is given a contributing score of 10. On the other hand, requests with an invalid fingerprint coming at high velocity will be given a contributing score of 80. Individual contributing scores are processed through the risk scoring function which computes the resulting risk score for the request.

Our new risk model provides the most consistent accuracy and classification across customers. It makes our solution more flexible, easier to maintain, consume and understand than ever before. It is also possible to adjust the model when needed to help preserve the most optimal accuracy and opportunities for self-serviceability.

Along with the risk score, Arkose Labs provides evidence of the anomalies found with their respective contributing score as also the classification and categorization. Therefore, our conversion of the detection outcome into a risk score does not make the system opaque. Customers can access information through the real-time logging API and verify API. The dashboard in the new control center reflects the new risk score information.