Effective CISSP Questions

Your company implemented a biometric system that matches fingerprints against the model database to control access to the computer room. An IT engineer is authorized to enter the computer room by the management but rejected by the system. Which of the following best describes the error? (Wentz QOTD)
A. False negative
B. False positive
C. Type I error
D. Type II error

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Type I error.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

As the official study guide (OSG) and many sources introduce terms, false-positive and false-negative in biometrics, I wrote this question to discuss the appropriateness of borrowing such words, positive and negative, from other application domains and using them in them biometric. Your feedback is highly welcome!

Acceptance and Rejection and Match and Non-match are pretty effective for communication in the context of biometrics. Do we need to relate them to Negative and Positive used in the binary classification?

In statistical hypothesis testing, the determination of a type I error or type II error depends on the null hypothesis. They have a specific definition. However, terms such as positive or negative are typically used in medical screening and testing. Use them in biometrics may be conflicting with shared understanding.


False Rejection Rate   A false rejection occurs when an authentication system does not authenticate a valid user. As an example, say Dawn has registered her fingerprint and used it for authentication previously. Imagine that she uses her fingerprint to authenticate herself today, but the system incorrectly rejects her fingerprint, indicating it isn’t valid. This is sometimes called a false negative authentication. The ratio of false rejections to valid authentications is known as the false rejection rate (FRR). False rejection is sometimes called a Type I error.

False Acceptance Rate   A false acceptance occurs when an authentication system authenticates someone incorrectly. This is also known as a false positive authentication. As an example, imagine that Hacker Joe doesn’t have an account and hasn’t registered his fingerprint. However, he uses his fingerprint to authenticate, and the system recognizes him. This is a false positive or a false acceptance. The ratio of false positives to valid authentications is the false acceptance rate (FAR). False acceptance is sometimes called a Type II error.

Source: Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 1147). Wiley. Kindle Edition.


Technical testing in biometrics has historically focused on throughput and recognition error rates – the latter of two types: false positives (also called false matches – an incorrect decision that two biometric samples are from the same individual when they are not) and false negatives (also called false non-matches – an incorrect decision that two biometric samples are not from the same individual when they in fact are).

Source: Fundamental issues in biometric performance testing: A modern statistical and philosophical framework for uncertainty assessment

Null Hypothesis in Biometric

A biometric system might reject a legitimate employee because of a mismatch of a sample and the template or accept an intruder because of a match. In statistical hypothesis testing, the null hypothesis of a biometric system typically states that a sample matches the template stored in the model repository. So, the decision of a biometric system is either “match” or “non-match”. However, the decision could be a wrong or false decision and become a false non-match (Type I error or false rejection) or a false match (Type II error or false acceptance).

Confusing False-positive/False-negative in Biometric

Some may treat a match as a positive and a non-match as a negative, which leads to the argument that false-positive equals false acceptance (Type II error) and false-negative equals false rejection (Type I error). It often confuses people, as the borrowing usage of positive and negative conflicts with most application domains where false-positive is well known as a Type I error, such as medical screening and testing, security screening (e.g., airport), spam emails, IDS/IPS, etc. In those application domains, the null hypothesis is a negative statement (e.g., does NOT have the specific disease, NOT a weapon, spam, or intrusion), while the one in biometrics is a positive statement (exists in the model repository).


您的公司實施了一個生物識別系統,將指紋與模型數據庫進行匹配,以控制對計算機房的訪問。 IT工程師被管理層授權進入機房,但被系統拒絕。 以下哪一項最能描述錯誤? (Wentz QOTD)
A. 偽陰性 (False negative)
B. 偽陽性 (False positive)
C. 第一類錯誤 (Type I error)
D. 第二類錯誤 (Type II error)

Leave a Reply