While probably everyone would agree that information security risk analysis (ISRA) is shot through with appeals to probability, very few non-academic discussions of ISRA provide any sort of rigorous analysis of what “probability” means. (See Alberts and Dorofee 2003 for a notable exception.) In this blog post, I will try to fill that gap and provide a brief overview of the basic interpretations of probability. I will then explain why these distinctions matter to ISRA.
6 Theories of Probability
It may come as a surprise to some that there actually a variety of interpretations or theories of probability. All of the theories about probability can be divided into two groups: objective and non-objective.
Objective Theories of Probability
Objective theories of probability define probability values in a way that makes them independent of opinion. For example, consider what it means to talk about the probability of a compromise of a web server. According to objective theories of probability, there is only correct probability value (or range of values), period, and it doesn’t matter what you or I or anyone else thinks. There are many different types of objective probability, including the frequency theory, the logical theory, and the propensity theory.
The classical theory of probability is the oldest and probably best-known theory of probability. It treats all possible outcomes as equally probable. Thus, given a fair, standard six-sided die, the probability that any one side will land is 1/6.
The aleatory or frequency theory of probability is arguably the best-known theory of probability; it is also an empirical theory that views probability as a feature of the natural world. Anyone who has taken a mathematics course on statistics or probability theory has learned frequency probability. The frequency theory of probability defines probability as the frequency with which an outcome appears in a long series of similar events (Gillies 2000, p. 1). Note that what the mathematician calls “frequency,” the information security professional has traditionally called the “rate of occurrence.” (For example, the auto insurance industry computes the “rate of occurrence” of theft for your vehicle, based on historical data about thefts in your location, the number of thefts involving your type of car, your claim history, and so forth.) In order to apply the frequency interpretation of probability, one must have sufficient data in order to arrive at a statistically valid conclusion about the frequency of the event in question.