When reviewing an intrusion detection system (IDS), an IS auditor should be MOST concerned about which of
the following?

A.
Number of nonthreatening events identified as threatening

B.
Attacks not being identified by the system

C.
Reports/logs being produced by an automated tool

D.
Legitimate traffic being blocked by the system

Explanation:
Attacks not being identified by the system present a higher risk, because they are unknown and no action will
be taken to address the attack. Although the number of false-positives is a serious issue, the problem will be
known and can be corrected. Often, IDS reports are first analyzed by an automated tool to eliminate known
false-positives, which generally are not a problem. An IDS does not block any traffic.