Using Bayes’ Theorem to Evaluate Phishing Cyber Risks

5 min readNov 23, 2023

Bayesian methods allow us to identify cybersecurity risks, prioritize them, and communicate risks and their associated return on investment using economic terms that every business professional understands.

I am committed to equipping cybersecurity professionals with the robust capabilities of quantitative Bayesian statistical methods. By leveraging these mathematical and statistical tools, we can enhance our current risk assessment techniques and present risks in terms that business leaders can understand. Bayesian methods allow us to prioritize cybersecurity risks and communicate them with their potential economic impact, ensuring clarity for business professionals.

You can connect with me on LinkedIn and follow my articles on Medium. Get notified via email every time I publish a new article.

I have a primer on Bayes’ Theorem and why it is the future of cybersecurity risk analysis that you may want to read before continuing with this article.

Let’s dive right in and start by setting up a Bayesian risk analysis scenario for this scenario.

I wanted to keep this scenario simple and perform the math by hand before we dive into more complex examples using Python. Building a strong foundation and understanding of the basics is important and many people overlook the value of this. I highly recommend it.

Scenario: We want to calculate the probability of a data breach in our organization, given that a user has clicked on a link in a real phishing email.

Disclaimer: This scenario can be much more complex. I use this simple example to help cybersecurity professionals new to Bayesian statistics begin thinking about using proven statistical methods to compute breach probabilities and update them over time as new information becomes available. Even though this is a very simple example, it is still relevant and useful.

The ability to update probabilities is a critical capability that Bayesian statistical methods offer over the common risk matrix and heat map methods.

Bayes Theorem

STEP 1: DEFINE THE EVENTS

A: Cyber breach occurs
B: User clicks on a phishing email link

STEP 2 — CALCULATE PROBABILITIES

Prior Probability, P(A): This is the overall probability of a cyber breach occurring in your organization.

You can base this estimation on reliable historical data, such as the Verizon DBIR or Cyentia IRIS report.

To really use the highest quality estimates, you should define a reference class and then narrow the focus of your model to be unique to your specific industry.

For example, if your organization is in the financial sector, and the latest Verizon DBIR report states 113 breaches occurred in the last year, this is a good start, considering you have not experienced a breach within your organization yet. This is referred to as a naive estimate.

You are not home-free just yet. Next, you must compute the probability of a breach via a phishing attack for your specific industry. To do that credibly, you need to estimate the number of organizations in your industry. For example, if your organization was a credit union, you could research and confirm there were 4235 credit unions in North America during the year of the Verizon DBIR breach data report. I am just using that number for illustration purposes.

Once you have these two key pieces of information, you can use Laplace’s Rule of Succession to compute a naive estimate for a data breach for your reference class.

Laplace’s Rule and Bayes’ Theorem are similar in that they both involve updating probabilities based on new evidence. Bayes’ Theorem provides a way to revise existing beliefs (or probabilities) in light of new data. It combines prior probability with new evidence to produce a posterior probability. Laplace’s Rule, often used as a method within Bayesian analysis, specifically addresses situations with little to no initial data. It suggests adding a small constant to the number of observed favorable and total outcomes to avoid making probability calculations with zero denominators. Both approaches embody the Bayesian principle of starting with prior beliefs and adjusting them as new information becomes available.

The formula for Laplace’s Rule is (h+1)/(m+2), where h indicates “hits” and “m” signifies “misses.” The 113 breaches in the financial secure would represent your “hits,” and the 4235 credit unions define your population. You can then calculate (113+1)/(4235+2) = .027 or 2.7%.

For this example, we can now say P(A) = 0.027

In future articles, I will show you how to prompt the user for these inputs and perform the calculation using Python.

Likelihood, P(B|A): Given that a cyber breach occurs, what’s the probability that it was due to a user clicking a phishing email link?

Hypothetically, let’s say that you gathered data from your security operations center, and you learned that 60% of breaches result from users clicking phishing links.

P(B|A) = 0.60

Evidence, P(B): This is the probability that a user will click on a phishing email link, whether or not it leads to a breach. Let’s say, from user training metrics and past incidents, your organization averages 5% of phishing emails sent to employees result in a clicked link.

Thus, P(B) = 0.05.

Now, plugging these values into Bayes’ theorem:

P(A|B) = 0.60 x 0.02 / 0.05 = 0.24 or 24%

Given that a user clicked on a phishing email link, there’s a 24% probability that it will result in a cyber breach based on the data in your model.

It should be easy to identify the need for quality data and information to ensure the integrity and defensibility of your work. You should also walk away from this example and understand how simple this really is in practice, but at the same time, it can be incredibly useful to help quantify these types of scenarios in your organization. No more guessing or using the broken Risk Matrix.

Considerations and Refinement

The prior probability P(A) could be further refined using more granular data like department-specific breaches, industry-specific averages, etc.

The likelihood P(B|A) might change with improved cybersecurity training, better email filters, and other defensive mechanisms.

Regularly updating the probabilities based on new incidents and data ensures the model remains relevant.

Consider other external factors and metrics that might affect the likelihood of a breach when clicking on a phishing link, such as the presence of up-to-date antivirus or endpoint protection, the time taken for incident response, etc.

Using Bayes’ theorem, organizations can quantify and better understand the risks associated with specific actions, such as users interacting with phishing emails, and implement proactive measures accordingly.

I hope this example gets you thinking about what is possible and how to apply it in your organization.