6 Theories of Probability and 6 Reasons Why They Matter to ISRA

There are two main types of non-objective theories of probability. The first is called the epistemic, subjective, belief-type, or personal theory of probability. The personal probability of a statement is a measure of the probability that a statement is true, given some stock of knowledge. In other words, personal probability measures a person’s degree of belief in a statement. The personal probability of a statement can vary from person to person and from time to time (based upon what knowledge a given person had at a given time) (see Skyrms, p. 23). For example, the personal probability that a factory worker Joe will get a pay raise might be different for Joe than it is for Joe’s supervisor, due to differences in their knowledge.

The second approach is the intersubjective theory of probability. That theory defines probability in terms of a social group’s degree of belief in a statement (Gillies, pp. 1-2). If some group of individuals, perhaps a team of information security consultants applying Thomas Peltier’s Facilitated Risk Analysis Process (see Peltier 2010), reach a consensus regarding the probability of a statement, then that value constitutes the team’s intersubjective probability for that statement.

Like the other types of probability values, non-objective probabilities represent numerical values. Although these values are rarely known precisely, they are real numerical values that must obey the axioms of the probability calculus. Thus, while the values may be subjective, they cannot be completely arbitrary.

Example: Probability = 0.5

Consider the following problem: There is a fair coin that is about to be tossed. What is the probability of it landing heads? Ÿ


  1. Russell Thomas Sep 8, 2010 at 10:23 am | Permalink

    Great post, Jeff.

    One thing I’ll add is to counter the criticism that ISRA relies on *predictions* of the future, which is another way of saying “knowledge about the future”. Most InfoSec people, in their gut, feel that such knowledge is unattainable or infeasable.

    But ISRA is really not about predicting the future or having highly certain knowledge about the future. Instead, it’s benefit is to help us ORGANIZE OUR UNCERTAINTY. It’s the systematic treatment of uncertainty and ignorance in all it’s forms, with a goal of promoting continuous learning and adaptation.

    Russell Cameron Thomas

  2. Jeff Lowder Sep 8, 2010 at 2:10 pm | Permalink

    Thanks, Russell. I’m glad you liked the post!

    Regarding the issue of ‘predicting’ the future, I think I agree with your point, but I would word it in a slightly different way. I would say that risk analyses do make ‘predictions’ about the future, but these predictions are hedged in various ways. For example, personal probabilities and intersubjective probabilities represent our degrees of belief (and, accordingly, our uncertainty) regarding various information security-related hazards. Additionally, as my discussion of single-case probabilities hopefully makes clear, frequency probabilities typically don’t make a prediction about a single event. On the other hand, estimated relative frequencies do … estimate the actual relative frequency in the real world, and hence the corresponding ‘actual’ frequency probability. Thus, for example, an ISRA may not provide an inductively correct argument for concluding that this web server will be attacked at this time, but it may be able to show that some system will be attacked at some time during a given time span. In that sense, I would say that ISRA does make predictions. This does not deny what I think is your point, however, that the criticism of ISRA falsely assumes that ISRA is committed to making a series of predictions about single events.


Post a Comment

Your email is never published nor shared. Required fields are marked *