• False positive:
  • A false positive is a false alarm
  • This is the state when an information security tool identifies an information system processing as an attack but, it is expected information system behavior
• False negative:
  • Most dangerous condition
  • A false negative is when an information security tools identifies attack behavior as normal information system operations
  • In this condition, the attack is unseen by the information security tools
  • This is one of the reasons for a good, in-depth defense strategy. One tool that reports a false negative may be caught by another tool
• True positive:
  • Properly working information security tool
  • This is when attack behavior is identified as attack behavior by the information system
  • While many tools can catch millions of threats with out-of-the-box behavior, the information security professional must constantly tune their information security tools to ensure that a true positive state is maintained
• True negative:
  • Properly working information security tool
  • This is when an information security tool properly identifies information system behavior as acceptable