6 Theories of Probability and 6 Reasons Why They Matter to ISRA

The logical theory of probability defines probability in terms of a logical relation between evidence and a hypothesis. In the words of Gillies, the logical theory “identifies probability with degree of rational belief” (Gillies 2000, p. 1). If the logical theory of probability is true, probability is always conditional upon evidence. The economist John Keynes is often credited with the first rigorous statement of logical probability. At first glance, the logical theory of probability might look redundant with the personal theory of probability, since both refer to “degree of belief.” For the same reason, one might wonder why the logical theory is not considered a subjective theory. The answer is that the personal theory is based upon degree of belief, whereas the logical theory is based upon the degree of rational belief.

The propensity theory of probability was developed by the philosopher Karl Popper. In the words of Ian Hacking, the propensity theory of probability defines probability in terms of “the tendency, disposition, or propensity of some chance setup” (see Hacking 2001, p. 145). Popper’s motivation for creating the propensity theory was to provide way to objectively assign a probability value to a singular event. (Popper was concerned with quantum mechanics, but the worry is equally applicable to certain types of events within information security.) The propensity theory allows us to assign probabilities to singular events, events for which there is no series of events that could form the basis for a frequency probability.

Non-Objective Theories of Probability

Non-objective theories of probability define probability values according to the beliefs of individuals or groups of individuals. According to non-objective theories of probability, probability values represent degrees of belief. Since different people can have different degrees of belief about the same thing, it follows that if a non-objective theory of probability is true, then different people can assign different personal probability values to the same event.


  1. Russell Thomas Sep 8, 2010 at 10:23 am | Permalink

    Great post, Jeff.

    One thing I’ll add is to counter the criticism that ISRA relies on *predictions* of the future, which is another way of saying “knowledge about the future”. Most InfoSec people, in their gut, feel that such knowledge is unattainable or infeasable.

    But ISRA is really not about predicting the future or having highly certain knowledge about the future. Instead, it’s benefit is to help us ORGANIZE OUR UNCERTAINTY. It’s the systematic treatment of uncertainty and ignorance in all it’s forms, with a goal of promoting continuous learning and adaptation.

    Russell Cameron Thomas

  2. Jeff Lowder Sep 8, 2010 at 2:10 pm | Permalink

    Thanks, Russell. I’m glad you liked the post!

    Regarding the issue of ‘predicting’ the future, I think I agree with your point, but I would word it in a slightly different way. I would say that risk analyses do make ‘predictions’ about the future, but these predictions are hedged in various ways. For example, personal probabilities and intersubjective probabilities represent our degrees of belief (and, accordingly, our uncertainty) regarding various information security-related hazards. Additionally, as my discussion of single-case probabilities hopefully makes clear, frequency probabilities typically don’t make a prediction about a single event. On the other hand, estimated relative frequencies do … estimate the actual relative frequency in the real world, and hence the corresponding ‘actual’ frequency probability. Thus, for example, an ISRA may not provide an inductively correct argument for concluding that this web server will be attacked at this time, but it may be able to show that some system will be attacked at some time during a given time span. In that sense, I would say that ISRA does make predictions. This does not deny what I think is your point, however, that the criticism of ISRA falsely assumes that ISRA is committed to making a series of predictions about single events.


Post a Comment

Your email is never published nor shared. Required fields are marked *