6 Theories of Probability and 6 Reasons Why They Matter to ISRA

Frequency Theory of Probability: Given a long sequence of married men, there have been no observed instances of a married bachelor. Therefore, the probability that a man is married, conditional upon him being a bachelor, is 0.

Logical Theory of Probability: The concept of a “married bachelor” is a contradiction in terms. Therefore, the probability that a man is married, conditional upon him being a bachelor, is 0.

Propensity Theory of Probability: There is no tendency in the population of married men to be bachelors. Therefore, the probability that a man is married, conditional upon him being a bachelor, is 0.

Personal Theory of Probability: My degree of belief that a man is married, conditional upon him being a bachelor, is 0.

Intersubjective Theory of Probability: Our degree of belief that a man is married, conditional upon him being a bachelor, is 0.

Example: Probability = 100%

Consider the following problem: What is the probability of an unmarried bachelor?

Classical Theory of Probability: There is only 1 type of bachelor: an unmarried one. Therefore, the probability that a man is unmarried, conditional upon him being a bachelor, is 100%.

Frequency Theory of Probability: Given a long sequence of observed bachelors, all of them have been unmarried. Therefore, the probability of an unmarried bachelor is 100%.

Logical Theory of Probability: The concept of an “unmarried bachelor” is a tautology. Therefore, the probability of a married bachelor is 100%.

2 Comments

  1. Russell Thomas Sep 8, 2010 at 10:23 am | Permalink

    Great post, Jeff.

    One thing I’ll add is to counter the criticism that ISRA relies on *predictions* of the future, which is another way of saying “knowledge about the future”. Most InfoSec people, in their gut, feel that such knowledge is unattainable or infeasable.

    But ISRA is really not about predicting the future or having highly certain knowledge about the future. Instead, it’s benefit is to help us ORGANIZE OUR UNCERTAINTY. It’s the systematic treatment of uncertainty and ignorance in all it’s forms, with a goal of promoting continuous learning and adaptation.

    Russell Cameron Thomas

  2. Jeff Lowder Sep 8, 2010 at 2:10 pm | Permalink

    Thanks, Russell. I’m glad you liked the post!

    Regarding the issue of ‘predicting’ the future, I think I agree with your point, but I would word it in a slightly different way. I would say that risk analyses do make ‘predictions’ about the future, but these predictions are hedged in various ways. For example, personal probabilities and intersubjective probabilities represent our degrees of belief (and, accordingly, our uncertainty) regarding various information security-related hazards. Additionally, as my discussion of single-case probabilities hopefully makes clear, frequency probabilities typically don’t make a prediction about a single event. On the other hand, estimated relative frequencies do … estimate the actual relative frequency in the real world, and hence the corresponding ‘actual’ frequency probability. Thus, for example, an ISRA may not provide an inductively correct argument for concluding that this web server will be attacked at this time, but it may be able to show that some system will be attacked at some time during a given time span. In that sense, I would say that ISRA does make predictions. This does not deny what I think is your point, however, that the criticism of ISRA falsely assumes that ISRA is committed to making a series of predictions about single events.

    Jeff

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*