The old adage that “for a business to survive, it must adapt” might be trite, but it’s true.
And although the need for adaptability amidst constantly changing, difficult circumstances might be common knowledge for any company, staying in a position to adapt is much harder in practice.
There is a school of thought which addresses this difficulty called preserving optionality; that is, building a foundation diverse in thinking and capabilities to address any potential problems that may occur in an unpredictable and erratic world.
In this post, we’ll explore this concept, outline why it’s crucial in a fraud & risk context, and shed light on limitations that come with an opposite, specialized approach with regard to security practices.
Winning in Chess (or in Business)
In a game of chess, two players start with identical pieces and capabilities. Their aim is to remove the other’s pieces from the board through attack, with the goal of capturing the other player’s king.
As the game progresses, the stronger player often whittles down their opponents pieces more than losing their own, leaving their opponent with fewer options for moves.
The game ends when the losing player has no other option but to move their king into an attack which will claim it, called a “checkmate”.
The importance of preserving optionality is exemplified here, and can be applied to virtually any competitive endeavor, be it chess, running a business, or stopping fraudsters.
Having more customers as a business means more options for revenue streams; more employees means covering more tasks in the same time, a more comprehensive strategy, and so on.
Similar to a chess game, having more resources than a competitor allows a business to outlast them, and provides flexibility to adapt their strategy while simultaneously forcing their opponents into disadvantageous positions.
Conceptually, preserving optionality limits downside and broadens upside, thus allowing a company to deal with the unpredictability of circumstances in conflict with it concretely, be they competitors or market conditions.
And while the opposite approach, specialization, has its advantages, it invites the risk of failing to adapt to unforeseen circumstances, particularly in a risk and fraud context.
Losing Optionality When Fighting Fraud
Many anti-fraud solutions in the market focus on offering their customers tools to make assessments for commonplace fraud typologies. Doing so lets these vendors address a wider market and, in a way, preserve their own optionality by specializing in being general.
This might be great for companies who are only experiencing a handful of fraud typologies that commonly occur across other businesses and need a quick solution.
But as companies grow and expand, they often face fraud typologies they would have never predicted, as attackers creatively exploit their unique services for fraudulent purposes.
Using a specialized fraud vendor at this point limits optionality in addressing sophisticated fraud typologies, and caps their ability to adapt to circumstances. For companies looking to continually stay ahead of the risk curve, there are a few important limitations of specialized tools to consider:
Black Box Pains
Specialized fraud tools simplify risk assessment by ingesting data, pooling it across customers, and abstracting away decisioning involved in the form of a score.
The drawback here is that individual customers who use and rely on this risk score have little to no visibility into how data is weighted and how models are formed.
This forces companies with unique cases to rely on models optimized for fraud typologies occurring the most across a diverse customer base, with little insight into how the model doesn’t translate for them specifically, or even how it misflags fraud.
Limited Context of Business Inner Workings
This lack of specificity in off-the-shelf risk engines applies another way; these models have little to no context of how the inner workings of a specific business should change the model to make it more effective.
A cookie-cutter approach means things like unique user profile attributes, and app-specific customer behaviors are not accounted for as variables in the equation for a “solution”.
Generic Model Inputs
There is often little capability a single customer has to tweak a specialized risk engine. Including specialized attributes is challenging when forced to use a predefined set of generic inputs which apply to a broad base of the vendor’s customers.
The risk here is that once a company faces unexpected fraud typologies as it matures, rigid tools will do little to detect these cases as they are designed for a completely different fraud context.
Given these limitations, how then can a business preserve its optionality to answer risk-related questions they haven’t asked yet but need to in the future? And how can it do this when an off-the-shelf risk engine eventually degrades in performance?
First-Party Behavioral Data: Foundation for Optionality
If the conceptual root of preserving optionality in a risk context is having a strategy flexible, comprehensive, and robust enough to address the unpredictability of attackers now and in the future, then starting with the right data foundation is the first step in the right direction.
Fine-grained, first-party behavioral data is essential to building this foundation.
Risk teams who take this approach preserve their optionality in dealing with future risks and fraud typologies in more ways than one:
Full control over Model Inputs
Different from risk engines built and operated by third parties, using models built on first-party behavioral data allow a risk team to completely tailor a model as they see fit, for any case they see fit.
This includes adding unique signals, customizing signal weights, and generally achieving flexibility in model design that’s not possible with off-the-shelf tools. Essentially, this ability to add any data at any time for any case does not restrict a risk team in addressing new fraud typologies as they arise, or force them into being beholden to another company’s product roadmap as they incur losses from fraud.
Implementation of any risk tool requires much work, including team alignment on use cases, ensuring integration soundness and proper data flow, efficacy testing, and more.
Friction occurs when the unique risk engine needs of a team are not addressed or resolved by an off-the-shelf tool, which caters to the lowest common denominator of needs and cases across customers.
A first-party behavioral data approach allows a risk team full control over implementation. They can reach a consensus easier on the data to be used and the reasons for it, find a standardization schema that works, and own the testing process in-house.
Data to Answer Any Question
Using source data to build risk models means having peace of mind knowing that any risk or fraud question that arises in the future can be answered using ground truth data.
Using behavioral data as a foundation also means a risk team can backtest their assumptions about risk detection as often as they like, and make improvements to models when they see fit. Models are free to be built and changed as the business faces new kinds of attackers and fraud.
Future Proofing Risk Assessment
If the only certainty is change, companies who wish to adapt to attackers must keep their defenses flexible enough to have more options than their adversaries, as it is guaranteed those adversaries will evolve.
Using behavioral data in modeling provides more options to risk teams: options on what they can learn about their own customers, options on what kinds of fraud typologies they uniquely face, options on what models can predict those fraud types, and options for dealing with uncertainty.