Effective CISSP Questions

The physical access control system (PACS) mediates access to the computer room using iris scanning. If attempts failed three times, the PACS would trigger an alert. Alice is not authorized to enter the computer room, but she passes the iris scanning. Which of the following is the best description of the authorization decision made by the PACS?
A. True positive
B. False positive
C. True negative
D. False negative

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. False positive.

False acceptance rate (FAR) and false rejection rate (FRR) are two of these.

  • FAR occurs when we accept a user whom we should actually have rejected. This type of issue is also referred to as a false positive.
  • FRR is the problem of rejecting a legitimate user when we should have accepted him. This type of issue is commonly known outside the world of biometrics as a false negative.

Source: Jason Andress, in The Basics of Information Security (Second Edition), 2014

I summarized the decisions of the PACS with biometric-based authentication and IDS as the following table. 

PCAC and IDS Decisions

My previous suggested answer, D. False negative, is wrong because I have interpreted the decision from the perspective of an IDS, instead of the PACS. Special thanks go to Nadeev for the feedback:Nadeev Silva

PACS Decisions (Biometric-based)

Technical testing in biometrics has historically focused on throughput and recognition error rates – the latter of two types: false positives (also called false matches – an incorrect decision that two biometric samples are from the same individual when they are not) and false negatives (also called false non-matches – an incorrect decision that two biometric samples are not from the same individual when they in fact are).

Note #20: Here, NIST’s use of the term “FAR” (False Acceptance Rate) is to be interpreted as the false match rate.

Source: Fundamental issues in biometric performance testing: A modern statistical and philosophical framework for uncertainty assessment (NIST)

IDS Decisions

In terms of the accuracy of an IDS, there are four possible states for each activity observed.

  • A true positive state is when the IDS identifies an activity as an attack and the activity is actually an attack. A true positive is a successful identification of an attack.
  • A true negative state is similar. This is when the IDS identifies an activity as acceptable behavior and the activity is actually acceptable. A true negative is successfully ignoring acceptable behavior. Neither of these states are harmful as the IDS is performing as expected.
  • A false positive state is when the IDS identifies an activity as an attack but the activity is acceptable behavior. A false positive is a false alarm.
  • A false negative state is the most serious and dangerous state. This is when the IDS identifies an activity as acceptable when the activity is actually an attack. That is, a false negative is when the IDS fails to catch an attack. This is the most dangerous state since the security professional has no idea that an attack took place. False positives, on the other hand, are an inconvenience at best and can cause significant issues. However, with the right amount of overhead, false positives can be successfully adjudicated; false negatives cannot.

Source: Intrusion Detection (OWASP)

Type I and Type II Errors

There are two types of errors as a result of a test procedure:

  • Type I error is the rejection of a true null hypothesis. (aka a “false positive“)
  • Type II error is the failure to reject a false null hypothesis. (aka a “false negative“)

“The null hypothesis is generally assumed to be true until evidence indicates otherwise (similar to the case that a defendant of a jury trial is presumed innocent until proven guilty).” (Wikipedia)



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

門禁系統(PACS)使用虹膜掃描來管制電腦機房的進出。如果嘗試失敗三次,則PACS將觸發警報。愛麗絲未被授權進入機房,但她卻通過了虹膜掃描。 以下哪項是對門禁系統做出的授權決定的最佳描述?
A. 真陽性(True positive)
B. 偽陽性(False positive)
C. 真陰性(True negative)
D. 偽陰性(False negative)


Leave a Reply