CySA+ False Postivies

Detection Logic: The Fire Alarm Analogy

Detection logic evaluates the relationship between the actual occurrence of an event and the system's corresponding response.

1. The Core Matrix

• True Positive ($TP$): The event happened and the system alerted correctly.

• False Positive ($FP$): The event did not happen, but the system alerted (Cried wolf).

• True Negative ($TN$): The event did not happen and the system correctly remained silent.

• False Negative ($FN$): The event happened, but the system failed to alert (Missed threat).

2. Operational Memory Hacks

• System Action (Positive/Negative): Refers to whether the alarm triggered ($Positive$) or remained silent ($Negative$).

• System Accuracy (True/False): Refers to whether the system's action was correct ($True$) or incorrect ($False$).

3. Critical Cybersecurity Context

• False Negative ($FN$) is the most dangerous outcome in a security environment because it signifies a silent, undetected breach.

• False Positive ($FP$) leads to alert fatigue, where security analysts may ignore real threats due to excessive noise.