 ## 6 Theories of Probability and 6 Reasons Why They Matter to ISRA

Classical Theory of Probability: There are two possible outcomes of a coin toss: heads and tails. Since each outcome is equally probable, the probability of heads is 0.5.

Frequency Theory of Probability: Given repeated throws of the coin, the actual observed relative frequency of the coin landing heads is the same as the actual observed relative frequency of the coin landing tails. Therefore, the probability of heads is 0.5.

Logical Theory of Probability: The logical relation between the evidence and the hypothesis that heads will land, and the relation between the evidence and the hypothesis of tails, is the same. So the probabilities are equal, and the rational degree of belief that the coin will land heads is 0.5.

Propensity Theory of Probability: The setup of the coin toss is arranged so that the propensity for the coin to land heads is the same as it is for tails. So the probability of heads is 0.5.

Personal Theory of Probability: My degree of belief that the coin will land heads is 0.5.

Intersubjective Theory of Probability: Our degree of belief that the coin will land heads is 0.5.

### Example: Probability = 0

Consider the following problem: What is the probability that a man is married, conditional upon him being a bachelor?

Classical Theory of Probability: A “married bachelor” is not a possible outcome. Therefore, the probability that a man is married, conditional upon him being a bachelor, is 0.

1. Russell Thomas Sep 8, 2010 at 10:23 am | Permalink

Great post, Jeff.

One thing I’ll add is to counter the criticism that ISRA relies on *predictions* of the future, which is another way of saying “knowledge about the future”. Most InfoSec people, in their gut, feel that such knowledge is unattainable or infeasable.

But ISRA is really not about predicting the future or having highly certain knowledge about the future. Instead, it’s benefit is to help us ORGANIZE OUR UNCERTAINTY. It’s the systematic treatment of uncertainty and ignorance in all it’s forms, with a goal of promoting continuous learning and adaptation.

Russell Cameron Thomas

2. Jeff Lowder Sep 8, 2010 at 2:10 pm | Permalink

Thanks, Russell. I’m glad you liked the post!

Regarding the issue of ‘predicting’ the future, I think I agree with your point, but I would word it in a slightly different way. I would say that risk analyses do make ‘predictions’ about the future, but these predictions are hedged in various ways. For example, personal probabilities and intersubjective probabilities represent our degrees of belief (and, accordingly, our uncertainty) regarding various information security-related hazards. Additionally, as my discussion of single-case probabilities hopefully makes clear, frequency probabilities typically don’t make a prediction about a single event. On the other hand, estimated relative frequencies do … estimate the actual relative frequency in the real world, and hence the corresponding ‘actual’ frequency probability. Thus, for example, an ISRA may not provide an inductively correct argument for concluding that this web server will be attacked at this time, but it may be able to show that some system will be attacked at some time during a given time span. In that sense, I would say that ISRA does make predictions. This does not deny what I think is your point, however, that the criticism of ISRA falsely assumes that ISRA is committed to making a series of predictions about single events.

Jeff