False Positive/Negative in biometrics

[Nick Anthis]

Had a student miss a question today based upon information that does not appear in the SG or slides. It has to do with False Positive being synonymous with False Acceptance Rate. And while the definition (someone's biometric matching with the wrong person and possibly giving them unauthorized access), somewhat lines up, it isn't something they would be able to read and extrapolate. And for False Negative, it means that someone was denied access that should have been given access based upon proper credentials/biometrics, being synonymous with False Rejection Rate. My issue isn't the definitions, it is that this information is not presented to the students in a way that they would get the question correct, since we usually refer to False Positive/Negative in terms of vulnerability analysis and device alerts, and they don't quite line up with the biometrics in terms of their meanings. I added it as an addendum to make sure my students know these definitions now. Maybe I'm totally wrong though. I defer to the esteemed consensus of my fellow instructors.

 

[Rick Butler]

I added it as an addendum to make sure my students know these definitions now. Maybe I'm totally wrong though. I defer to the esteemed consensus of my fellow instructors.

You're not wrong, but quite often, there is a measure of clarity that is only achieved through didactic explanation. The FAR is the statistical measure for invalid inputs being incorrectly accepted by a security system. False positive in this case wouldn't really be appropriate, but it is not syntactically wrong in its explanation.

I think the best solution is as you prescribe - articulate these things to your students so there's no confusion. No textbook can explain things 100% accurately to every student - which is why Instructors are necessary.

 

[BrianFord]

Had a student miss a question today based upon information that does not appear in the SG or slides. It has to do with False Positive being synonymous with False Acceptance Rate. And while the definition (someone's biometric matching with the wrong person and possibly giving them unauthorized access), somewhat lines up, it isn't something they would be able to read and extrapolate. And for False Negative, it means that someone was denied access that should have been given access based upon proper credentials/biometrics, being synonymous with False Rejection Rate. My issue isn't the definitions, it is that this information is not presented to the students in a way that they would get the question correct, since we usually refer to False Positive/Negative in terms of vulnerability analysis and device alerts, and they don't quite line up with the biometrics in terms of their meanings. I added it as an addendum to make sure my students know these definitions now. Maybe I'm totally wrong though. I defer to the esteemed consensus of my fellow instructors.

A false positive or a false negative is a finding based on a single (for example authentication) event. A finding of false positive or false negative might be the product of investigating a specific event. I use the example of a doctor congratulating an older man telling him 'You're pregnant!' (false positive) and another doctor telling an obviously pregnant woman that she is not pregnant - must just be a stomach ache (false negative).

False Acceptance Rate (FAR) and False Reject Rate (FRR) are statistics based on a set of of findings. I explain this as imagine we are deploying a new security system at an airport (like TSA). To test the system we march 100 people through our new system and record true positives and negatives AND false positive and negatives. These statistics help us determine the crossover rate; which is a measure of sensitivity we want our security solution to exhibit when it is tuned. Think about tuning a stringed instrument (a guitar); no one just plucks a string one time when tuning.

True and false positives and negatives are used to describe a single event. FAR, FRR, and cross over rate (sometimes abbreviated CRX) are statistics based on a set of (many) events.

 

[Nick Anthis]

Thank you all for your replies. I do understand the definitions and how they should be used. My concern is that there isn't anywhere in the book that makes the correlation between FAR and False Positive, and FRR and False Negative. So the student was confused as to why a False Positive would be considered a big time security issue, with the explanation being that a false positive (in terms of biometrics) means someone was allowed in that should not have been. If we're going to test the students on this, I want to make sure they have a chance to read about it in the SG.

 

[Jarrel]

@Nick Anthis

Thanks for sharing. What material are you using?

The books from Pearson and McGrawHill do cover "false acceptance" and "false rejection" under the topic of "biometric readers"
False acceptance and false rejection are also under Objective 2.4 Summarize authentication and authorization design concepts. (SYO-601)

 

[Nick Anthis]

@Nick Anthis

Thanks for sharing. What material are you using?

The books from Pearson and McGrawHill do cover "false acceptance" and "false rejection" under the topic of "biometric readers"
False acceptance and false rejection are also under Objective 2.4 Summarize authentication and authorization design concepts. (SYO-601)

I am using the official CompTIA Sec+ SY0-601 Student Guide. But I guess maybe I haven't been clear on my question/responses or maybe I'm not explaining the situation correctly. I understand what those terms are, what they mean, and that the information is out there on the internet and in many other books. I am clear on the definitions and have no issue making sure my students understand all the various terms and how they apply. And the Comptia books have information about False Acceptance and False Rejection, but they don't have information that correlates that to the terms False Positive and False Negative when talking about biometrics. My only intent was to make sure that other instructors know/knew that the information to answer that question (specifically False Positive/False Negative in biometrics) was not in their official student guide and that they might see those terms on the certification exam.

 

[Jarrel]

Thanks for sharing.

While a few exam questions are "bookish" such that the definition of words are "by-the-book', many exam questions however, are situational and thereby, descriptive in nature.

I can hardly comment on the question that your student missed as I didn't see it myself, but you can probably train your students to comprehend the security terms in their own words. In that way, the students will still be able to somewhat answer a question even if the description of the situation or definition of a term is a bit astray.

Doing so, the student will then see a connection between false acceptance and false positive, as well as with false rejection and false negative.

I understand - these terms are defined differently but hopefully, they'd see the similarity however gray the line may be.

 

[Mark Anthony Germanos]

I am using the official CompTIA Sec+ SY0-601 Student Guide. But I guess maybe I haven't been clear on my question/responses or maybe I'm not explaining the situation correctly. I understand what those terms are, what they mean, and that the information is out there on the internet and in many other books. I am clear on the definitions and have no issue making sure my students understand all the various terms and how they apply. And the Comptia books have information about False Acceptance and False Rejection, but they don't have information that correlates that to the terms False Positive and False Negative when talking about biometrics. My only intent was to make sure that other instructors know/knew that the information to answer that question (specifically False Positive/False Negative in biometrics) was not in their official student guide and that they might see those terms on the certification exam.

Since we're talking False Positive and False Negative in biometrics here, let me suggest this example.

Joe's work has a thumbprint reader at the server room door. Joe swipes his thumbprint and gains access to the server room.
False positive: Bill swipes his thumbprint and gains access. His thumb is almost the same size as Joe's.
False negative: Joe swipes his thumbprint and is denied access. His thumbprint has too much dirt and/or oil.

 

[Nick Anthis]

Thanks for sharing.

While a few exam questions are "bookish" such that the definition of words are "by-the-book', many exam questions however, are situational and thereby, descriptive in nature.

I can hardly comment on the question that your student missed as I didn't see it myself, but you can probably train your students to comprehend the security terms in their own words. In that way, the students will still be able to somewhat answer a question even if the description of the situation or definition of a term is a bit astray.

Doing so, the student will then see a connection between false acceptance and false positive, as well as with false rejection and false negative.

I understand - these terms are defined differently but hopefully, they'd see the similarity however gray the line may be.

Yeah, that's all good. But I think I'm just going to send a request to CompTIA to add those terms to the book for that particular section.

 

[Nick Anthis]

Since we're talking False Positive and False Negative in biometrics here, let me suggest this example.

Joe's work has a thumbprint reader at the server room door. Joe swipes his thumbprint and gains access to the server room.
False positive: Bill swipes his thumbprint and gains access. His thumb is almost the same size as Joe's.
False negative: Joe swipes his thumbprint and is denied access. His thumbprint has too much dirt and/or oil.

I like that analogy, thanks. I'm going to add it to my lecture, if you don't mind. I'd still like CompTIA to add those terms to the book so the students can at least see those terms associated with biometrics.

 

[Rick Butler]

I like that analogy, thanks. I'm going to add it to my lecture, if you don't mind. I'd still like CompTIA to add those terms to the book so the students can at least see those terms associated with biometrics.

@Stephen Schneiter - Is this something to suggest to the content team for review?

 

[Fanuel]

You're not wrong, but quite often, there is a measure of clarity that is only achieved through didactic explanation. The FAR is the statistical measure for invalid inputs being incorrectly accepted by a security system. False positive in this case wouldn't really be appropriate, but it is not syntactically wrong in its explanation.

I think the best solution is as you prescribe - articulate these things to your students so there's no confusion. No textbook can explain things 100% accurately to every student - which is why Instructors are necessary.

I was teaching the same today and you just explained the same way I did. It is really confusing for students to understand these terms in the way the SG has articulated.

 

[Rick Butler]

I was teaching the same today and you just explained the same way I did. It is really confusing for students to understand these terms in the way the SG has articulated.

I haven't seen a book yet that is perfect in this regard, not to mention that terminology can be subjective, based on how a person was taught and the context. There is a 'right' definition for each term, and then there's vernacular.

Like people that call an entire PC a 'hard drive' or 'CPU'.