A risk engine can be configured to produce a total risk score by combining a set of risk factors. A risk policy can define a percentage that is to be assigned to each risk factor that is present in a request to access a web-accessible application. The percentage can represent the amount of risk that can be attributed to the access request when the risk factor is present in the request. The risk policy can also define which mitigating factors apply to each risk factor. Each mitigating factor can also be assigned a percentage by which the mitigating factor will reduce the risk factor when the mitigating factor and risk factor are present in the access request. The risk factors can then be combined to produce the total risk score. The total risk score can be generated as a percentage between 0% and 100%.
