How to Balance Security with Risk Tolerance and User Experience

When trying to protect customer accounts, managing risk is a hot topic within organizations. In order to build and maintain customer loyalty, providing the best user experience is a high priority. But the best user experience can leave an organization at risk. Managing risk isn’t always about making threat models better or reducing false positives. In some cases you want to add friction when in others you may want to eliminate it. It’s up to the business to determine what’s acceptable in different scenarios. Tackling this challenge requires a highly flexible and sophisticated risk engine. 

To do this, an organization first needs to understand the realities they are working with in their business. We have found that most companies are challenged with one or more of the following scenarios: 

  1. Internal teams at odds
    There are often teams that are at odds when it comes down to security. On the one hand there are security teams trying to protect users and on the other hand there are product and marketing teams trying to protect the user experience and increase conversions. 
  2. Different user risk
    Not all users carry the same risk. Some organizations have different types of users (buyers vs sellers in an online marketplace for an example) or some users may be higher value (perhaps making larger transactions).
  3. High-risk activities
    There are certain in-app activities that carry higher risks in the case of an Account Takeover or Fraud attempt. For example: email, password, or credit card changes within an account could be considered highly sensitive events.
  4. Business specific policies
    For some businesses, they have identified obvious threat signals for their business. Examples could be when a new device or unusual location appears on a user’s account, or when an event is attempted from a datacenter, VPN, or Tor IP. 

Once the most critical risk-related scenarios are identified, then it becomes easier to custom design segmented user journeys where you can apply granular response and remediation flows based on risk tolerance. 

The flexibility to build custom logic around a combination of personas, user traits, critical events, application actions, device context and more in order to adjust the outcome of events can be very powerful in reducing risk. For your riskiest users and events you can add more friction, while for other personas you can reduce it in order to provide a better experience.

Castle’s most recent release of Risk Policies makes it easy for organizations to implement custom policies in order to address these unique scenarios and A/B test their effectiveness. With customized logic, risk scores, and responses, organizations can highly optimize the user experience and increase conversions yet closely align it with risk tolerance. 

Building a custom Castle Risk Policy is simple. First, organizations determine which scenarios – user, device, event traits – are most critical to the organization. Once the specific scenario is defined, companies clarify if they want to increase or decrease friction for the user. This is done by defining low, medium, and high risk tiers based on risk score thresholds and threat signals to a given tier. Finally, they define how to respond to each scenario by establishing custom inline and out-of-band response rules for each tier of their new risk policy.

For illustration, a financial organization might build custom scenarios like the following: 

  • If a power user attempts any withdrawal transaction from a new device or new country, then immediately trigger a security challenge. 
  • If a withdrawal attempt comes from a datacenter, then immediately block the transaction
  • If a user login looks suspicious, prevent email or phone from being changed
  • If a user account has a zero balance, then remove security friction until balance status of the account changes
  • If a new user is in a trial period and hasn’t connected a credit card to their account, then remove security friction until a card is connected or the trial is over.

By implementing more granular risk policies into your account security strategy, it becomes easier for security to reduce risk and be more aligned with the more revenue-focused teams. More agreeing, less compromising, happier users. 

Learn more about Castle Risk Policies