IBM Security MaaS360

FAQ on User Risk Management

By Ajay Krishnan posted Mon April 26, 2021 10:18 AM


In the MaaS360 Community Discussion forum, we posted the live Q&A from our recent webinar on User Risk Management. We thought you’d also benefit from the FAQ on the topic.


Q: How should I get access to the User risk management feature?

A: The URM feature is available to all our customers. You can get access to the feature by enabling the User Risk Management service in Setup > Services page. Once you enable the service, you should see two new pages - Security Dashboard and Risk Rule Configurator under the Security tab. The Security Dashboard will get populated with data in 24 hours after the User Risk Management service is enabled.


Q: I have enabled the User risk management service on the services page, but I’m not able to see the Risk Rule Configurator page. Is there anything additional which is needed here?

A: The Risk Rule Configurator is visible by default to administrators having the following Roles:

  • Service Administrator
  • Administrator L-2

If you are not able to see the Risk Rule Configurator page, the most common reason is that the role associated with your administrator account does not have the necessary access right. To overcome this issue, please add the access right “Edit Risk Rules” to your current custom role or create a new role with the access right and assign it to the administrator accounts who should be able to see the Risk Rule Configurator.

Q: Does URM impact existing MaaS workflows, including the policies, compliance rules etc?

A: The URM feature is an analytics feature that works on top of the existing MaaS features. It does not impact/replace any of the existing workflows including policies, compliance rules etc. It provides additional insights based on risk behaviors MaaS360 detects across all users and devices


Q: Does all the risk rules work for all customers?

A: While there are multiple risk rules available out of the box for all customers, they work only if

  • the customer has enabled the risk rules in the risk rule configurator
  • the customer has the required feature/capability enabled in their environment. (Eg. The malware detection rule will work only if the customer has purchased Enterprise/MTM)


Q: How frequently is the risk evaluated?

A: The risk engine runs once every 24 hours. During the run, risk engine evaluates existing incidents and new incidents and updates the risk scores accordingly


Q: How does risk score change – increase/decrease?

A: The risk score increases when a new incident is found associated with the risk rules that are enabled. The score decreases based on two factors:

  • The effect of an incident on the risk score decays over time
  • The incident is resolved

The addition/removal of risk rules will also impact the risk score since it leads to new incidents being discovered


Q: What happens to the risk score when the risk rules are added/removed?

A: When new risk rules are added, the subsequent evaluations will consider the risk rules and detect incidents related to the new rules. This could lead to new risk incidents detected and hence increase in the risk scores.

When risk rules are removed, the subsequent evaluations will start ignoring incidents related to the rules. Any existing identified risk incidents associated with the rule will continue to show in the dashboard and will continue to contribute to the user’s risk score till the retention period of the incident is complete (60 days).


Q: What happens to the risk score when the risk rule severity is modified?

A: When the severity of a risk rule is changed – eg. increased from Low to Med/High or reduced from High to Med/Low, the new severity takes into effect for the next run of the risk engine. The risk incidents that are detected in the subsequent risk engine runs will consider the new risk severity


Q: What happens when the risk incident has been resolved by the end-user?

A: When the incident is resolved by the end-user the risk score associated with that incident drops to 0 and the incident is removed from the security dashboard. For certain risk incidents which indicate user behaviour like accessing blocked urls, the user cannot resolve these incidents. Such incidents will decay slowly and drop to 0 in certain number of days depending on the severity of the incident.


Q: Will end users see their risk scores?

A: The URM feature is purely for the administrator. The risk incidents, risk scores etc are visible only to the administrator. The end user does not see his/her risk score. The Security dashboard allows the administrator to notify the end user. The administrator could choose this feature to notify the user about the risk incidents found on the user’s device.