Applying Bayes’ Theorem in Cybersecurity: Risk Analysis Illustrated with Examples

5 min readNov 22, 2023

Bayes’ Theorem is a mathematical formula for updating hypotheses’ probabilities based on observed evidence.

This can mean updating the likelihood of a security risk or threat in cybersecurity, given new data or findings.

I am committed to equipping cybersecurity professionals with the robust capabilities of quantitative Bayesian statistical methods. By leveraging these mathematical and statistical tools, we can enhance our current risk assessment techniques and present risks in terms that business leaders can understand. Bayesian methods allow us to prioritize cybersecurity risks and communicate them with their potential economic impact, ensuring clarity for business professionals.

You can connect with me on LinkedIn and follow my articles on Medium. Get notified via email every time I publish a new article.

Bayes Theorem

Bayes’ Theorem allows us to update the probability of an event A given new evidence B.

The theorem is expressed mathematically as shown in the illustration above.

P (A | B) is the posterior probability is the probability of A occurring, given that B has occurred.

P (B | A) is the probability of observing B given A.

P (A) is known as prior probability and is the initial probability of A before considering B.

P (B) is the marginal likelihood, the total probability of observing B.

Cybersecurity Examples Using Bayes’ Rules

To start thinking about probability using Bayes’ Theorem, I will provide some simple examples below to help you become familiar with applying conditional probability, marginal likelihood, likelihood, prior probability, and posterior probability.

Conditional Probability P (A | B)

This rule represents the probability of the event (A) occurring, given that (B) has occurred. The | symbol is read as “given.”

In cybersecurity, this could be the probability that a network intrusion has occurred, given an unexpected increase in outbound traffic.

Example: Network Monitoring

Suppose your network monitoring tools have detected an abnormal increase in outbound traffic (B). You want to calculate the probability that this is an actual data exfiltration attempt (A).

This would be your conditional probability notation: P (Data Exfiltration | High Outbound Traffic).

Example: Malware Infection Given Suspicious Activity

Conditional probability is crucial in cybersecurity to evaluate the likelihood of a threat given some conditions or indicators.

For example, if 2% of systems show suspicious activity (A) in a network, and 50% of the systems that showed suspicious activity were found to have malware (B). In this case, P (Malware | Suspicious Activity) = 0.5.

Likelihood P (B | A)

This is the probability of observing evidence (B) given that hypothesis (A) is true.

In cybersecurity, this could be the likelihood of detecting an abnormal pattern of activity if a system is indeed compromised.

Example: IDS Detection

Imagine your intrusion detection system (IDS) has a 98% detection rate for a particular kind of malware (A). This would mean the likelihood P (Alarm Triggered | Malware Present) = 0.98.

The likelihood helps in measuring how accurately a condition predicts an event.

Example: Accuracy of Phishing Detection

If your email filtering system is known to flag 90% of phishing emails correctly, then the likelihood P (Flagged | Phishing) = 0.9.

Prior Probability P (A)

This is the initial probability of (A) before new evidence (B) is considered. In the cybersecurity context, this could be based on historical data or industry benchmarks.

Example: Malware

Suppose 1% of devices in your industry sector are known to be compromised by a particular malware. This is your prior probability P (Malware Present) = 0.01 or 1%.

The prior probability represents the initial rate of an event before considering any other factors.

Example: Rate of Phishing Attacks

Based on historical data, let’s assume that 10% of emails your organization receives are phishing attempts. This is the prior probability P (Phishing) = 0.10 or 10%.

Marginal Likelihood P (B)

This is the total probability of observing (B) and is sometimes calculated as a sum of all the ways (B) could occur. This would include both true and false positives for a particular alarm in cybersecurity.

Example: IDS Alarm Triggers

Suppose your IDS triggers alarms for various reasons, and after analyzing logs, you find that it triggers an alarm 5% of the time for all incoming network traffic. This is your marginal likelihood P (Alarm Triggered) = 0.05.

Marginal likelihood helps calculate a particular event’s overall rate, which serves as a denominator in Bayes’ Theorem.

Example: Rate of False Positives

Suppose your intrusion detection system (IDS) gives false alarms 3% of the time and true alarms 5% of the time.

The marginal likelihood of any alarm going off would be P (Alarm) = 0.03 (False) + 0.05 (True) = 0.08.

Posterior Probability P (A | B)

This is the updated probability of (A) after considering new evidence (B). It is the main output when applying Bayes’ Theorem.

Example: IDS Alarm

An alarm has been triggered on your IDS. You want to update the probability that this alarm is genuinely due to the malware it’s designed to detect. Using Bayes’ theorem, you would calculate P (Malware Present | Alarm Triggered).

Here’s how the formula would look with the example components:

P (Malware Present | Alarm Triggered) =

0.98 *.01 / .05 ≈ 0.0098 / .05 ≈ 0.196 ≈ 19.6%

This tells you that given an alarm has been triggered, there’s a 19.6% chance that the malware it’s designed to detect is actually present.

By understanding and applying each of these components within the context of Bayes’ Theorem, cybersecurity professionals can make more informed decisions about the risks they face and how to mitigate them.

Given new evidence, posterior probability helps you update your beliefs about an event.

Example: Update Probability of Phishing After Being Flagged

Suppose your system has flagged an email as a potential phishing email. You want to update the probability that this flagged email is a phishing attempt.

Using Bayes’ Theorem

P (Phishing | Flagged) = P (Flagged | Phishing) x P (Phishing)

P (Flagged)

P (Flagged | Phishing) = 0.9 (likelihood), and

P (Phishing) = 0.01) (prior), and

P (Flagged) (marginal likelihood) would be calculated based on how often emails get flagged, whether they are phishing or not.

By applying these components effectively, Bayes’ Theorem can significantly aid in evaluating and updating cybersecurity risks.

It helps organizations to make more informed decisions about their cybersecurity posture.