Skip to content

Which is worse in security detection: a false positive or a false negative?

Short answer

Generally a false negative is worse from a pure security standpoint: it means a real attack went undetected, so there is no response, no containment, and the breach can dwell undiscovered. But false positives are not harmless — high volumes cause alert fatigue, where analysts start ignoring alerts and miss the real one. The right answer names the trade-off, not just a winner.

This question looks like it wants a one-word winner. The trap is answering with absolute confidence either way — the interviewer is testing whether you can reason about the trade-off like a detection engineer.

Define the terms first

  • A false positive is a benign event flagged as malicious — a wasted alert.
  • A false negative is a malicious event that was not flagged — a miss.

Why false negatives are generally worse

A false negative means an attack slipped through with no detection and no response. There is no investigation, no containment, and the adversary can dwell, escalate, and exfiltrate while you believe you are safe. The cost of a single missed breach can dwarf the cost of triaging many false alarms. From a pure risk standpoint, the undetected attack is the nightmare scenario.

Why you cannot dismiss false positives

Here is the subtlety that separates strong candidates: too many false positives cause alert fatigue. Analysts drowning in noise start rubber-stamping or ignoring alerts — and then they miss the real one. So an excess of false positives manufactures false negatives. The two failure modes are linked, not independent. The distractor that says "tuning eliminates both" ignores that every detection threshold trades one against the other.

The mature answer

State that a false negative is generally worse, then immediately acknowledge that unchecked false positives erode detection capability and effectively create false negatives. Mention tuning, risk-based prioritisation, and context (a missed ransomware beacon is far worse than a missed low-severity scan).

What interviewers look for

The trade-off framing, the alert-fatigue link, and the refusal to give a context-free absolute.

Likely follow-ups

  • How does alert fatigue from false positives indirectly cause false negatives?
  • How would you tune a noisy detection rule without creating blind spots?
  • When might you deliberately tolerate more false positives?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.