What are false positive and false negative in information security?

Updated at: Oct 01, 2019
By Gatefy

What are false positive and false negative in information security

In the world of information security, false positive is the term used to indicate a file or item that is marked as malicious, but in fact isn't. A false negative is the opposite. It happens when a malicious file or item is labeled as secure, clean.

In the end, false positive and false negative are errors and failures found in protection solutions that fail to label files and items correctly.

Understanding false negative

We say here at Gatefy that a false negative causes more problems in the short term while a false positive has more reflexes in the future.

In the case of a false negative, a malicious file or item gained access to your system or network because it was classified as legitimate by your protection solution. The case could involve a simple virus attack, which in the sequence would be easily fought. But on the other hand, the threat could be a ransomware, which would lead to huge losses, even intellectual ones.

What's worse is knowing that your solution hasn’t issued any alert. But why? The main reason for false negative occurrence refers to a new threat or, as we say, a zero-day attack. That is, recent attacks are more difficult to combat, as cybercriminals are constantly searching for new ways to attack, lure and lie.

Understanding false positive

As we have said, a false positive is a flaw that a scanning and protection software generates when a legitimate activity is classified as an attack. Invariably, a false positive results in a website, file or item being quarantined, blocked or deleted.

At first, a false positive may not seem as harmful as a false negative. But think long term. What losses would you have, for example, if your email protection solution blocked emails from new customers?

There is a good comparison between a false positive and a fire alarm. Imagine that the fire alarm went off, everyone ran, but it was nothing. False alarm. Now count the time and energy that was spent on this process. That is why, in the long run, a false positive can be as harmful as a false negative.

The most common cause of false positives is when the software identifies a signature or a behavior of a file as being similar to that of a threat, such as malware.

How to prevent false positive and false negative

If your protection software generates a lot of false positives, you should send samples of the files to the solution developer or, if you have the option, add them to your whitelist.

False negatives tend to be more dangerous. The best way to avoid them is to keep your solution up-to-date, so samples of different threats are always up-to-date as well.