Effective CISSP Questions

You are conducting user acceptance testing against the fingerprint-based physical access control to the computer room. System administrators and engineers report that they are often blocked outside the door. Which of the following is the most feasible solution to solve this problem? (Source: Wentz QOTD)
A. Lower the error rate of the CER
B. Lower the slope of the FRR curve to reduce Type I error
C. Lower the slope of the FAR curve to reduce Type II error
D. Ask the vendor to replace the fingerprint reader with a new one having lower EER

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Ask the vendor to replace the fingerprint reader with a new one having lower EER.

CER, not adjustable, is determined by the performance of the fingerprint reader. Lower CER implies the replacement of the fingerprint reader. Lowering the slope of FRR and FAR curves is not possible without altering the hardware configuration of the fingerprint reader as well.


The Curves of FRR and FAR

The curves of FRR (false rejection rate) and FAR (false acceptance rate) stand for the recognition performance of a fingerprint reader. Fingerprint recognition performance is subject to the hardware configurations of the fingerprint reader. The curves are fixed and unadjustable, but they can shift, change shape, or become lower or deeper if the CPU, memory, optical component for recognition, etc. are replaced or upgraded.

Even though altering the sensitivity or threshold of matching fingerprint patterns will not affect the curves, FRR and FAR (not the curves) are adjustable by altering the sensitivity or threshold.

Benchmarking CER

CER (also known as EER) is unadjustable as well because it is determined by FRR and CER. It’s an overall recognition performance indicator of a fingerprint reader. When a couple of fingerprint readers are benchmarked, those that have lower CER render better recognition performance.

Type I and Type II Error

False rejection is a type I error, while false acceptance is a type II error. Both are errors and negatively correlated. The higher is the false rejection rate (FRR), the lower is the false acceptance rate (FAR), and vice versa.

“In statistical hypothesis testing, a type I error is the rejection of a true null hypothesis (also known as a “false positive” finding or conclusion), while a type II error is the non-rejection of a false null hypothesis (also known as a “false negative” finding or conclusion).” (Wikipedia)



您正在對電腦機房的指紋辨識的實體訪問控制進行驗收測試。 系統管理員和工程師指出,他們經常被擋在門外。 以下哪項是解決這個問題的最可行方式?
A. 降低EER的錯誤率
B. 降低FRR曲線的斜率以減少I型錯誤
C. 降低FAR曲線的斜率以減少II型錯誤
D. 要求供應商更換具有較低CER的新指紋讀取器


My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

Buy Your Copy





Leave a Reply