False positive versus false negative/true positive versus true negative
False positive:
A false positive is a false alarm
This is the state when an information security tool identifies an information system processing as an attack but, it is expected information system behavior
False negative:
Most dangerous condition
A false negative is when an information security tools identifies attack behavior as normal information system operations
In this condition, the attack is unseen by the information security tools
This is one of the reasons for a good, in-depth defense strategy. One tool that reports a false negative may be caught by another tool
True positive:
Properly working information security tool
This is when attack behavior is identified as attack behavior by the information system
While many tools can catch millions of threats with out-of-the-box behavior, the information security professional must constantly tune their information security tools to ensure that a true positive state is maintained
True negative:
Properly working information security tool
This is when an information security tool properly identifies information system behavior as acceptable