7. SACON 2017
• Would Stock A move up by 20% in the next 1 year?
• Which movie should we watch next?
• Can I come home safely?
• From search engine or online retailers perspective:
• Which web page is D trying to find?
• Which link will E click on?
• What kind of product does F wish to buy?
• What gesture is G making?
• Many others …
Uncertainty everywhere
7 (C) Ramakrishnan Venkatasubramanian 2017
8. SACON 2017
Aleatory uncertainty - Uncertainty that comes from a random process.
• Flipping a coin and predicting either HEADS or TAILS is aleatory uncertainty.
• In other words, the uncertainty we are observing is random, it is part of the natural processes of what we
are observing.
Epistemic uncertainty - Uncertainty that comes from the lack of knowledge.
• This lack of knowledge comes from many sources. Inadequate understanding of the underlying processes,
incomplete knowledge of the phenomena, or imprecise evaluation of the related characteristics are
common sources of epistemic uncertainty.
• In other words, we don't know how this thing works so there is uncertainty about its operation
Types of Uncertainty
(C) Ramakrishnan Venkatasubramanian 2017
10. SACON 2017
Probability vs. Possibility
• Possibility is “binary": something is possible or it is not.
• Probability is a continuum addressing the area between certainty and impossibility.
Risk management deals with probability as it deals with future events that
always have some amount of uncertainty.
Probability Possibility
There is a 50% chance of rain
between 10am and 2pm today
It’s possible it could rain today
The chance of being killed by a
shark is one in 300 million
It’s possible we could be killed by
a shark when swimming
10 (C) Ramakrishnan Venkatasubramanian 2017
12. SACON 2017
• What is the probability of at least 2 people out of 23 having the same birthday?
• 8%
• 51%
• 2%
• 14%
• What is the chance of people choosing same number from 1 to 100 out of 20 people?
• 87%
• 51%
• 5%
• 10%
• 1 in 1,000 system have vulnerability say D . A test for vulnerability D is 100% accurate for
systems that have the vulnerability and 95% accurate for those not...
Your system received a positive test result. What is the probability you have vulnerability D ?
• 95%
• 5%
• 90%
• 2%
Let’s Play
12 (C) Ramakrishnan Venkatasubramanian 2017
25. SACON 2017
What is Bayesian Network (BN)?
1. BNs, also known as belief networks (or Bayes nets, for short), belong to the family of probabilistic
graphical models (PGMs).
2. These graphical structures are used to represent knowledge about an uncertain domain.
3. PGMs with directed edges are generally called a directed acyclic graph (DAG), which is popular in
statistics, machine learning and artificial intelligence.
4. “A BN is a visual description of the relationships between cause and effect. It is made up of
nodes and arcs, and each node in the network represents a variable, and the arcs represent the
causal relationships between the variables.”
5. BNs use Bayes’ theorem to compute the probabilities in the model.
25 (C) Ramakrishnan Venkatasubramanian 2017
31. SACON 2017
Reasoning backwards
Both heads
{true, false}
Coin 2
{H,T}
Coin 1
{H,T}
p(H) = 1/3
p(H) = 1/3
false
Inference
Coin 1 T T H
Coin 2 T H T
Both heads false false false tr e
Coin 2
{H,T}
Coin 1
{H,T}
Both heads
{true, false}
Coin 1 T T
Coin 2 T H
Both heads false false f
a
T
l
H
se tr e
H
H
u
false
tails p(H) = 1/2
31
(C) Ramakrishnan Venkatasubramanian 2017
32. SACON 2017
Reasoning backwards
Coin 2
{H,T}
Coin 1
{H,T}
p(H) = 0
Coin 1
Coin 2
Both heads f
a
T
T
lse fal
T
H
se
H
T
false tr e
H
H
u
heads
“Explaining away”
false
Both heads
{true, false}
32 (C) Ramakrishnan Venkatasubramanian 2017
35. SACON 201735
Key Takeaways
• Embrace Uncertainty using theory of Probability
• Probabilistic risk analysis methods inform actionable decisions.
• Only few samples are required when our uncertainty is high
• Domain Expertise matters
For further details refer my blogs in LinkedIn and ISACA Paper
• https://www.linkedin.com/in/venkatasubramanian-ramakrishnan-5544b9/recent-activity/posts/
• https://www.isaca.org/Journal/Blog/Lists/Posts/Post.aspx?ID=338
Key takeaways
(C) Ramakrishnan Venkatasubramanian 2017