The security IT teams where I work are intent on protecting the company from emails that might cause damage to the company, so they’ve been working on new Spam filters, and they’ve decided to put a notification at the top of each email that comes from outside the company. However we use a lot of third party online tools and now notifications from these tools – which I need to see – are flagged as being from outside the company.
Technically it’s true, these are emails from outside the company. However they’re from companies we partner with and I do need to see these emails. From a user perspective these are being flagged when they don’t need to be: it’s a false positive and it occurs because IT have defined the work environment as only what exists on the company’s own servers.
There is a limit to the accuracy of any test, and some of that limit is around false negatives and false positives, so what do those terms mean?
Think of a pregnancy test:
– A false positive would mean the test confirmed a pregnancy that does not exist.
– A false negative would mean the tested showed no pregnancy when one does exist.
One challenge of creating an algorithms that use some external data as input is evaluating the risk of false positives and false negatives. In law there’s an axiom that it’s better that ten guilty people go free rather than one innocent person be imprisoned. So the legal systems work to protect the innocent with rules of evidence and putting the burden of proof on the prosecution, knowing that in some cases guilty people will go free. In drawing the line far on side of false negatives (the guilty person is not convicted) the law acknowledges that it is, at least in theory, really important to avoid false positives (an innocent person is convicted).
In my email example above the line has been drawn, if it’s not a company email – easily identifiable by the email address – then it’s external and the notification is used. But our work environment online is no longer the walled garden we once had. Almost all of the systems I use are from external companies, companies that have gone through significant technical and risk assessment before being allowed to connect to the network. They are systems where I work, but from a strict IT perspective they are outside the company.
I understand the IT perspective on this, but the volume of notifications has taught me to ignore them. It’s a bit like the boy who cried wolf – the ultimate false positive.