In the event of an unknown zero-day attack, an intrusion detection system (IDS) might not be able to detect the attack and therefore fail to alert the administrator. Any failure to detect an attack is called a false negative. When alarms are not going off, it’s common to assume that no malicious events are taking place. If that’s a false assumption, real attacks are occurring and security staff is unaware.

False positives may create a false sense of security for the opposite reason—too many alarms from benign occurrences. An administrator might react quickly to the first few alarms. However, after receiving additional false positives, a busy administrator might put off investigating the alarms or ignore them.

Answer the following question(s):

Assume you are a network administrator responsible for security. In your opinion, which is worse—false positives or false negatives? Why?