13 Mar 19 Part 8: False Positives are a Pain
Just a Negative, Right?
So what does that mean?
If it’s not positive, then it’s just a negative, right?
Well sort of; the difference between a false positive and a negative is simply the fact that a false positive is a negative that has been incorrectly reported as a positive.
Yup, me too.
Anyway, as it relates to access related risk, a false positive is generally something that is reported as being a risk when in fact, it is not a risk (probably).
Why is this a pain?
A Major Headache
False positives can be a major headache for anyone tasked with managing access-related risk. What they do is waste your time; consider a scenario where you have identified 1,000 access-related risks in your system; you investigate them all, and when you are done, you have determined that 500 of the reported risks were not risks at all, they were, in fact, false positives.
You completed your analysis, which is great, but you also wasted half your time trying to understand a whole bunch of risks that didn’t need analyzing because they were never risks in the first place.
An Example False Positive
Within Oracle EBS, many things can generate a false positive in terms of access related risk; here is an example of one type of false positive (we refer to these as common false positives or CFPs)…
Within EBS there is the concept of a person being designated as a “buyer”. There are also several functions (screens) that have been designed only for “buyers” in that if a non-buyer attempts to access it, then access is denied; however, there is nothing to stop one of these buyer functions being added to the menu of a user who is not a buyer. So now when you analyze the risks you come across this user who is not a buyer with access to a particular buyer related function, and you report on this as a risk, this is a false positive.
Here is a screenshot of this type of CFP in action; the Purchase Orders function is available on the users’ menu, but if the user attempts to open the screen, access is denied because the user is not defined as a “buyer”…
Different Types of False Positive
There are other types of CFP within EBS, such as…
- Shipping Function false positive
- Query Only Function false positive
- HR Query Only false positive
- Non-Visible Menu Entry false positive
- Cross-organization false positive
Plus, there could be any number of other potential types of false positive based on how the system is configured and customized such as where a personalization has been applied to a form or page
Imagine now that there are all these types of false positive in the system and you have a large user base and you are looking for lots of different kinds of risks, you could potentially end up reporting on 10’s of thousands of risks that are false positives.
A good SoD solution should be able to handle these types of false positive to make the process as simple and efficient as possible.
Want to find out how we can help you manage false positives during your risk analysis? Get in touch today and ask us about CS*Comply.
Next Week & Early Access
The next article in this series is “It’s all about the reporting of risk“.
If you want to get access to these articles before anyone else, please subscribe to our newsletter.