When creating a watch list, you can choose between 2 matching methods:

  • Standard matching will return more matches, thereby increasing the chances a real threat gets identified, but it will also increase the number of false positives, i.e. the number of alerts that do not represent a real threat
  • Narrow matching will result in fewer matches, thereby reducing the number of false positives but increasing the risk that a real threat does not generate an alert if spelled quite differently than on the list

This article explains how and why these 2 methods differ and provides concrete examples so you can make a better decision.

 

General rules

Both methods share the same general rules:

  • Every time a visitor is created, 3 checks are successively performed against the records in the list
  • If any of these checks returns a match, an alert will be sent
  • The first check looks at the name of the visitor, the second checks looks at the name and the company name, and the third check looks at the email of the visitor
  • The logic behind these 3 successive checks is to lower the risk that an unwanted visitor does not trigger an alert (if his name or company name slightly differs from the record in the watch list). You’ll see specific examples of this further down in the article  

 

Differences

The difference between the two methods relates to how we decide there is a match between two names during check 1 and check 2. The Narrow method will return less results, and thus also less false positives.


As you can see in the table above, the Standard method predominantly uses phonetic match while the Narrow method predominantly uses exact match. These two matching mechanisms are explained below.

 

Phonetic match

Two names will match if they “sound” the same. However, as we cannot “hear” the 2 names, we need to rely on an algorithm to decide whether or not 2 names “sound” the same. For this we use a well-known algorithm called Soundex.

The basic idea of Soundex is to transform every word into a alphanumeric code based on a few rules. For instance, the Soundex of “Robertson” is R163. Here is an online Soundex generator if you want to know the Soundex of any name.

For many names, this works quite well. For instance, both “Jonson” and “Johnsson” share the same Soundex (J525). As a consequence, if your watch list record reads “Jonson” but she checks in under “Johnsson”, an alert will be sent.

In some cases however, the algorithm returns the same Soundex for names that are quite different. For instance, “Sullivan” and “Sahlbom” both correspond to S415.

For companies that prefer to limit the number of false positives like this one, exact match is a good alternative to phonetic match.

 

Exact match

Here is how exact match works:

  • The two names to be compared are first normalized. Normalization means the following operations are applied to the name:  (i) capitalize, (ii) remove spaces, (iii) remove accents, (iv) remove non-alphanumeric values, (v) remove successive identical letters  
  • The two normalized names are then compared
  • The comparison will return a match (and an alert) only if the two normalized versions of the names match exactly
  • Example of pairs that match under this method: “De Souza” and “Desouza”, “O’Connor” and “Oconnor”, “De Cooman” and “De Coman”, “Pêtre” and “Petre”

Now that we’ve discussed the phonetic and exact match, let’s review with concrete examples how the standard and narrow methods differ for every check.

 

Examples

Check#1: visitor first and last name

Under the standard method, an alert is sent when

  • First letter of first name match
  • There is a phonetic match on the last name

Under the narrow method, an alert is sent when

  • There is a phonetic match on the first name
  • There is an exact match on the last name

The table below lists a few visitor names and indicates whether an alert is sent or not under the 2 methods.

Example First and last name entered on Dashboard or iPad Record in watch list Alert sent with standard method? Alert sent with narrow method?
1 Teresa De Angelo Tereza DeAngelo Yes Yes
2 Kimberly Oconnor Kim O’Connor Yes No
3 Olaf Johnsson Olav Jonson Yes No
4 Johan Kittori Johan Quitori Yes No
5 John Sahlbom James Sullivan Yes No
6 Ronald Keegan Ronald McArthur No No
7 Greg McArthur Ronald McArthur No No
8 Beth Kinley Elisabeth Kinley No No

As you can see, under the standard method, the first check manages to identify close variations of last names (examples #1 to #4). At the same time, it does not trigger an alert when only the last name (or only the first name) matches, which is effective in ruling out false positives (examples #6 and #7).

The standard method can however be too broad, as example #5 shows. Narrow matching is here the solution as it limits the number of false positives.

Looking at example #8, we could argue that an alert should have been sent, even under the exact method.

This is why the second check is performed.

 

Check#2: last name and company name

Under the standard method, an alert is sent when

  • There is a phonetic match on the last name
  • There is a phonetic match on the company name

Under the narrow method, an alert is sent when

  • There is an exact match on the last name
  • There is an exact match on the company name

Table below shows how this check will trigger an alert for the visitor that missed the first check.

Example Name and company entered on Dashboard or iPad Record in watch list Alert sent with standard method? Alert sent with narrow method?
1 Beth Kinley, Boloo Elisabeth Kinley, Bolo Yes Yes

 

Check#3: email

Finally, a third check is performed: if there is an exact match with the email address, an alert will be sent (irrespective of values of the other fields). This is true for both the standard or narrow methods.

Example Name, company and email entered on Dashboard or iPad Record in watch list Alert sent with standard method? Alert sent with narrow method?
1 Test Test, Test, yheida@mangaelectronics.com Yasuhiro Heida, Manga Electronics, yheida@mangaelectronics.com Yes Yes

The rationale is that email addresses are unique, so we consider security should be warned when there is a match.

We hope the above helps you understand the difference between the 2 methods. In any case, please take into account human judgment is also part of the story. Quite some info is sent together with the alert (see screenshot below) to help security guards assess the real threat posed by the visitor.

 

FacebookGoogle+EmailTwitterLinkedIn