Effective CISSP Questions

Employees complained about the inconvenience of the biometric-based physical access control system for delaying their entrance to the office too long, even though you had optimized the sensitivity of the biometric system. Which of the following is the most feasible solution? (Wentz QOTD)
A. Revise the information security policy.
B. Update the information security strategy.
C. Raise the clipping level or equal error rate (EER).
D. Replace a new biometric system with a lower crossover error rate (CER).

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Replace a new biometric system with a lower crossover error rate (CER).

General Problem Solving Process
General Problem Solving Process

Strategy and Policy

To think (mindsets) like a manager (management) means a lot; to be effective and realistic and create value are crucial mindsets. We create value for organizations by increasing revenue, improving efficiency, reducing waste, avoiding losses, and solving problems. We FIX not only technical problems but also management problems; process ineffectiveness or inefficiency is just one form of problem.

Management is a systematic approach (e.g., PDCA) to achieve goals. effectiveness is the “extent to which planned activities are realized and planned results achieved” (ISO 30401:2018) or “accuracy and completeness with which users achieved specified goals.” (ISO 30071-1:2019)

The information security strategy and policy are management things, but it’s not realistic to modify them because of bumping into technical or implementation obstacles. A strategy typically deals with long-term goals and agenda. A policy expresses the management intent and directs the development of standards and procedures. Both of them remain relatively stable.


The equal error rate (EER) is equivalent to the crossover error rate (CER). We can only adjust the sensitivity or threshold of a biometric reader/system to change the false acceptance rate (FAR) and false rejection rate (FRR). The curve of FAR and FRR are not changeable or shiftable; so does the EER.

A lower CER or EER means a biometric system has better performance. Replacing a better model is the only way to change EER/CER; altering or even optimizing sensitivity or threshold doesn’t change EER/CER. The following figure shows the crossover error rate (CER) for two biometric systems.

Clipping Levels

Clipping levels are typically used in the context of auditing and monitoring. When it comes to biometric systems, we use the term sensitivity or threshold.

Have you ever tried to log in to your workplace 300 times at 4 a.m.? Most people have not, and that’s where clipping levels come in. Clipping levels are a way to allow users to make an occasional mistake. A clipping level is a threshold for normal mistakes a user may commit before investigation or notification begins.

An understanding of the term clipping level is essential for mastery of the CISSP exam. A clipping level establishes a baseline violation count to ignore normal user errors.

The clipping level allows the user to make an occasional mistake, but if the established level is exceeded, violations are recorded or some type of response occurs. Look no further than your domain controller to see a good example of how clipping levels work.




My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

員工抱怨基於生物特徵的門禁系統因為讓他們延遲進入辦公室帶來的不便,即使您已經優化了生物特徵系統的敏感性(sensitivity)。 以下哪項是最可行的解決方案? (Wentz QOTD)
A. 修改資訊安全政策。
B. 更新 資 息安全策略。
C. 提高門檻值(clipping level)或相等的誤碼率(EER)。
D. 更換具有較低交叉錯誤率(CER)的新生物識別系統。

Leave a Reply