False Positives and False Negatives
A few more definitions:
- Detection is the action of finding out whether something undesirable happenned.
- Prevention is the action of not allowing something undesirable to happen in the first place.
- A Response is an action that we (users, data owners, system admins, organizations, etc.) take to address the consequences of the undesirable event.
The detection results of a security system (e.g., a firewall or IDS) fall into the following four cases:
- True Positive: When a system labels an item as 'infected', and it was indeed infected.
- False Positive: When a system labels an item as 'infected', but it was actually uninfected/benign.
- True Negative: When a system doesn't detect anything bad, and it was indeed uninfected/benign.
- False Negative: When a system doesn't detect anything bad, but the item was unfortunately infected/malicious.
False Positive cases lead to loss of data, efficiency, and time, while False Negative cases can harm data and the system.