Some basic math concepts for security:

• Base rate fallacy:
  The base rate fallacy comes into play when one ignores, or is unaware of, the very low probability of an occurrence in comparison to another. For example, consider an inspection mechanism checking for terrorists that is able to make this determination with an accuracy of 99.99% (i.e. if someone is a terrorist there is a 99.99 percent chance that the mechanism indicates "terrorist," and if someone is not a terrorist, there is a 99.99 percent chance that the mechanism indicates "non-terrorist.") Assuming that one in twenty five million passengers is a terrorist, what is the chance that a person identified as a terrorist by the mechanism actually is a terrorist? Though it may seem counter-intuitive the answer is 0.04%. How?? Let us run the numbers:
  
  Assuming that one in twenty five million flyers actually is a terrorist, the mechanism's false positive rate means that in addition to the one person who is a terrorist, (1-0.9999)*25,000,000 = 2,500 people will also be incorrectly identified as terrorists. Thus the probability that the person identified is a terrorist actually is one is 1/2500*100 = 0.04%
  
  Thus, though the accuracy of the mechanism is high it is very likely that the rate of false alarms would eventually cause the people running the mechanism to distrust its results. Any such mechanism (e.g. biometric identification of iris) would also be expensive, and its deployment in every airport would be a burden in terms of dollars, manpower, etc.
  
  
• Crossover error rate:
  Inspection mechanisms such as profiling or biometrics are subject to two types of errors. The first is known as the False Rejection Rate (FRR) or Type 1 Error, in which a valid test subject is incorrectly rejected. The second is known as the False Acceptance Rate (FAR) or Type 2 Error, in which the test subject is incorrectly accepted. For example, for an iris scanner a Type 1 error would occur if the machine incorrectly rejected a subject that was in the database, while a Type 2 error would occur if it incorrectly OK'd a person not in the database. As the sensitivity of the inspection mechanism is increased the mechanism will become more selective and the incidence of incorrect rejections (FRR) will increase. Conversely, as the sensitivity is decreased the mechanism will become less selective and the incidence of incorrect acceptances (FAR) will increase. The graph below shows the relationship between these variables.
  
  The crossover error rate is the point at which the FRR and FAR are equal, and thus is a valid measure of system performance that can be used to compare different systems. In general, a mechanism with a lower CER will be more accurate than a system with a higher CER.

  © SNi 12/25/2001