Bayes' theorem

It is said that Thomas Bayes made his most important discovery not at a university, not at a royal academy, and not even in conversation with the great thinkers of his time – but alone on a quiet evening in the library of his rectory. There he sat, a rather unassuming 18th-century clergyman and philosopher, known to hardly anyone outside his parish, pondering a mathematical problem that preoccupied him: How can new knowledge be used to improve old beliefs? While outside in Tunbridge Wells, a small town in the far west of the county of Kent near the border with Sussex, the streetlights flickered and the world took no interest whatsoever in this unassuming man, Bayes developed an idea that only long after his death ignited like a quiet spark – and eventually became one of the most powerful tools of modern science and AI methods.

Bayes was not a star of his time. He was no Newton, no Euler, no Bernoulli. He published very little and seemed to be more of a brooding thinker who preferred sorting books, solving logic puzzles, and analyzing theological questions to being in the limelight. But it was precisely this quiet perseverance that led him to his famous essay, which was only published by a friend after his death. The world hardly noticed what a treasure he had left behind. No one suspected that his simple question – "How does my assessment change when I receive new information?" – would one day become a pillar of modern statistics, artificial intelligence (AI), weather forecasting, and cybersecurity.

Today, morethan 250 yearslater, Bayes' theoremishidden in almosteverymodelthatdealswithuncertainty. In algorithmsthatdetectdiseases. In algorithmsthatfilterspam. In systemsthatpredictcyberattacks. And yet, alarminglyfew risk managersknowaboutthisquietPresbyterianministerwhorevolutionizedthinking in probabilities.

This historical review marksthebeginning of ourjourneyintotheworld of Bayes – and thequestion of whyhistheoremis indispensable for risk management, yetremains a blind spot in manycompanies.

Whatdoes Bayes' theoremsay?

Bayes' theorem describes how to systematically update an existing assumption about the probability of an event as soon as new information becomes available. It combines prior knowledge about the world with actual observations. The core of the idea is that the probability that a hypothesis is correct increases or decreases depending on how well the new data explains that hypothesis. This means that Bayes should be the foundation of any modern evidence-based risk assessment.

Mathematically, the theorem is formulated as follows:

Here, P(H) stands for the initial probability of a hypothesis – the so-called prior. P(D|H) describes the probability that the observed data will occur if the hypothesis is true, i.e., the likelihood. The expression P(D) stands for the general probability of the data, independent of a specific hypothesis. And the expression P(H∣D) is the posterior – the updated, improved probability of the hypothesis after taking the new information into account.

In plain language, this means: We start with a guess, then see something new and use it to make a better estimate. It is precisely this logic that makes Bayes so valuable in all areas where uncertainty plays a role.

A simple example: Analysis of cyber risks

A simple example from cyber risk analysis illustrates how this works. Suppose a company estimates, based on historical information, that the probability of a ransomware attack in the coming year is 5 percent (on average, such an event occurs every 20 years; a probability per year can be interpreted as a Poisson distribution rate; λ=0.05). This is the prior. Now, an industry association publishes new data showing that companies with a certain outdated VPN access were attacked twice as often. If the company in question also uses such access, the probability increases significantly. Using Bayes' theorem, it is now possible to calculate how much this new information revises the original risk assessment upward. The more the new data supports the hypothesis of "increased risk due to outdated VPN," the greater the posterior becomes. This results in a methodologically sound, comprehensible, and transparent risk update.

This can also be expressed as a numerical example. If a company originally believed that the probability of a ransomware attack was 0.05, and the new data shows that the attack rate for companies with outdated VPNs is 0.10, while only 0.04 of all companies without this VPN were affected, the new information about the "likelihoods" can be incorporated. In a highly simplified form, the posterior probability could, for example, increase from 0.05 to around 0.11. The exact value depends on the actual base rates, but the key point is that Bayes provides a mathematical justification for the jump and makes it transparently comprehensible.

Bayes' theorem is thus much more than a pretty mathematical equation. It is the most structured way of dealing with uncertainty that statistics knows. It forces us to disclose assumptions, weigh information correctly, and view risks dynamically rather than rigidly – exactly as real cyber risks behave in an ever-changing threat landscape. This is particularly valuable for risk managers because it provides a current, data-reflective view of risk that neither overreacts nor ignores what is actually happening.

What can Bayes be used for in concrete terms?

Bayesian thinking is relevant today in almost any situation where decisions are made under uncertainty. In medicine, it is used to interpret diagnostic tests: How likely is a disease really to be present if a test is positive? In meteorology, Bayes helps with weather models by combining historical data on weather conditions with new measurements. In the financial world, Bayesian methods are used to model credit risks by combining historical default rates (PDs) with current economic indicators. Bayesian methods are particularly prominent in machine learning (ML) and AI methods, for example in probabilistic models such as Bayesian networks or hidden Markov models. These methods evaluate probabilities in complex systems and continuously update them with new data.

Bayes plays a central role in anomaly detection for cybersecurity. If a server suddenly shows an unusually high number of outgoing connections at night, the question arises as to whether this is an attack or merely a "normal" error in the infrastructure. Bayes helps to combine the probability of an attack based on historical patterns, contextual data, and new events. This creates an adaptive, probabilistic early warning system. Bayes is also a key tool in risk modeling in companies, for example in estimating frequencies and probabilities of occurrence and amounts of damage, making uncertainty transparent and mathematically quantifiable.

Why are so few risk managers familiar with Bayes?

Despiteitsenormousrelevance, many risk managersarehardlyfamiliarwith Bayes. Thereareseveralreasonsforthis. First, statisticsis a hurdleformanypeople. Risk managersoftencomefrombusinessor legal disciplines (withtheexception of banks and insurancecompanies) and haveusuallyhadlittlecontactwithmoremathematicallydemandingconceptsduringtheirtraining. Many prefer to workwithcategories such as high, medium, and lowratherthanprobabilitydistributions, posteriors, orlikelihoods. Second, traditional risk managementhaslongrelied on qualitative methods, asthesewere also favoredbyofficialstandards (see, forexample, the German BSI Standard 200-3): workshops, expert panels, traffic light ratings, qualitative risk maps, and checklists. These methodsare simple and easy to communicate, but theyoftenconvey a false sense of security and frequentlylead to pronounced "risk blindness." Thirdly, Bayesiananalysisrequires a mindsetthatacceptsthatassessmentsmustchangeconstantlyasnewinformationbecomesavailable. Some risk managersperceivethisas a weakness, althoughitisactuallythestrength of theBayesianapproach: itreflectsthereality of dynamicsystemsinstead of setting rigid values in stone.

In addition, data analytics is still regarded as a specialized discipline in many organizations, one that only a few experts have mastered. As a result, Bayes is often reserved for those who work with mathematical models on a daily basis, such as data scientists, actuaries, and AI developers. For everyone else, the theorem remains a kind of theoretical curiosity, even though it would be particularly helpful for them.

Bayesian logic forms the foundation of a whole class of modern AI methods, especially where decisions have to be made under uncertainty. Today, many people associate "artificial intelligence" primarily with neural networks or large language models. But long before "deep learning" became popular, Bayesian models were the standard tools of AI research. The basic idea is that a system combines existing knowledge ("prior") with new observations ("likelihood") and uses this to make an updated, improved assessment (‘posterior’). This is precisely what makes "intelligent" systems adaptable and capable of learning.

Over the decades, this has given rise to numerous model classes. Particularly well known are Naive Bayes classifiers, which, despite their simplicity, are remarkably powerful in areas such as spam detection, text classification, and sentiment analysis. In cybersecurity, for example, such models analyze millions of log records and calculate the probability that a particular behavior pattern indicates an attack. The model takes into account how often certain events have occurred historically and dynamically adjusts its assessment to new data. A sudden unusual login pattern can thus lead to a significantly higher risk score in real time.

Even more powerful are Bayesian networks, which are probabilistic graph models that map complex cause-and-effect structures. In a cyber context, they can model how different components of a system depend on each other. For example, an attack on a domain controller increases the likelihood of credential theft, which in turn increases the likelihood of lateral movement within the network. Many companies use such networks to analyze the resilience of their IT landscapes or simulate attack paths. The advantage is that every insight – for example, a newly discovered zero-day exploit – can be incorporated into the model as new information ("evidence"), whereupon all risk-related probabilities are automatically updated.

Bayes and artificial intelligence

In machine learning (ML), Bayes also plays a central role where models require confidence measures. In Bayesian deep learning (BDL), for example, the aim is not only to generate a prediction, but also to provide the uncertainty of that prediction. This is particularly relevant in situations with little training data, such as rare attacks, anomalies, or technical failures. In practice, this means that an AI system not only recognizes a potential threat, but also assesses how confident it is in its assessment. This concept of uncertainty quantification is now used in autonomous vehicles, medical diagnostics, and highly critical surveillance systems – and is also becoming increasingly important in cyber risk management.

Bayesian methods also enable predictions to be made despite incomplete information in other uncertain systems, such as energy infrastructures. For example, a security operations center can use Bayesian rules to assess the probability of various causes of attacks when only fragments of log files or telemetry data are available. One example would be a creeping attack in which only minimal deviations from normal patterns are initially detectable. Bayesian updating allows these weak signals to be used to gradually generate an increasingly clear picture, while at the same time taking into account that some clues may be erroneous or random.

Bayes is therefore not a relic from the mathematical past, but the foundation of a modern, probabilistic understanding of AI, machine learning, and risk analysis beyond "qualitative voodoo methods." Its strength lies in the fact that absolute truths are not required, but that systems can learn reliably even in incomplete, noisy, and dynamic environments.

Conclusion: A powerful tool for dealing with uncertainty

Bayes' theorem is one of the most powerful tools for dealing with uncertainty. On the one hand, it is so easy to understand that it can be explained in just a few lines, and on the other hand, it is profound enough to form the basis of many modern AI, data analytics, and risk analysis methods. The fact that it nevertheless plays a marginal role in traditional risk management is less due to its complexity than to a certain inertia in dealing with mathematical concepts and the convenience of qualitative methods. However, once you understand how elegantly Bayes describes uncertainties and how precisely it updates insights, you will find it difficult to do without it.

And this is precisely where the real opportunity lies: in a world full of dynamic, volatile, and systemic risks—be they cyberattacks, supply chain risks, or geopolitical crises – it is no longer enough to force risks into rigid traffic light colors. Qualitative risk matrices convey a deceptive sense of order where uncertainty actually prevails. They are a "sedative" rather than an explanation. And they promote systematic risk blindness, as practice has shown us (see Carillion, Silicon Valley Bank, Greensill Capital, BayWa, FTX, Northvolt, BER, etc.). Bayes, on the other hand, brings uncertainty to the surface and makes it manageable. It forces us to think explicitly about our assumptions and then adjust them step by step to reality. In doing so, it delivers exactly what modern risk management needs: a learning, evidence-based, continuously updated understanding of risks.

It is fascinating that this method can be traced back to an 18th-century nonconformist who quietly and persistently challenged the certainties of his time. Bayes understood mathematics as a mental exercise. His father, Reverend Joshua Bayes, was a prominent nonconformist Protestant preacher who was one of the first clergymen to be officially ordained in England under the Toleration Act, paving the way for religious freedom beyond the Anglican state church. This intellectual and free-thinking environment had a profound influence on Thomas Bayes: He learned early on to question authority, think outside the box, and view problems analytically from different perspectives. His theorem was a breakthrough in thinking at the time.

And even today, its potential is enormous. With Bayes, new information can be incorporated in real time, probabilities can be readjusted, and incomplete data can still be used meaningfully. Cyber risks, which change daily, can thus be modeled as they really are – not static, but dynamic. Scenarios that were previously evaluated purely qualitatively can now be backed up with probability distributions. Decisions that were previously based on gut feeling can finally be made in a transparent, traceable, and quantifiable manner.

This is the moment when risk managers must decide which path to take. Either they remain in the comfort zone of colorful and meaningless heat maps – or they venture into a methodologically more demanding but significantly more realistic world. A world that no longer pretends that uncertainty can be moderated away, but takes it seriously and systematically incorporates it. Bayes is not a panacea. But it is one of the sharpest tools we have to not only measure uncertainty, but to understand it.

It is up to risk managers themselves to find the courage to use it. Bayes has given us the tool – we just need to finally start using it.