CyberVaR 360™

I created this detailed primer to help you learn and understand how Bayesian Networks in Python can be an incredibly powerful tool for cybersecurity risk analysis and risk modeling.

I believe that Bayesian Networks represent the future of cybersecurity risk analysis, and by the end of this in-depth introduction—complete with illustrated and working examples—I think you will share the same belief.

Business leaders and executives value cybersecurity professionals who can translate the complex landscape of risks and threats into clear, actionable business language. By quantifying cybersecurity risks in terms of probabilities and economic impact, you enhance your credibility and enable informed decision-making at the highest levels of the organization. In an increasingly competitive field, the ability to present cybersecurity threats in terms that resonate with business goals and financial outcomes will set you apart as a strategic advisor rather than just a technical expert. This approach positions you as a key player in aligning cybersecurity efforts with overall business strategy, making you an invaluable asset to any organization.

With over two-and-a-half decades of experience as a cybersecurity professional, I have pioneered advanced quantitative risk analysis methodologies and frameworks to address the latest cloud-based cybersecurity threats. My extensive background and expertise are reflected in the courses I offer. To learn more about my education and experience, please visit my About Page.

You can connect with me on LinkedIn and join my professional network.

I share weekly insights on quantifying cyber risk in dollars, not colors — including Monte Carlo simulation, loss exceedance modeling, Cyber Value at Risk (VaR), and NIST CSF quantification. If you’re an executive, CISO, or security leader looking for practical, data-driven approaches to cyber risk, let’s connect on LinkedIn.

Key Takeaways:

1. Understanding Bayesian Networks in Cybersecurity: This primer provides a comprehensive introduction to Bayesian Networks, explaining how they can be leveraged as powerful tools for cybersecurity risk analysis and modeling. By the end of this guide, you will have a solid understanding of how Bayesian Networks work and why they are invaluable for quantifying and managing cybersecurity risks.
2. Practical Application of Bayesian Networks: The primer includes detailed, illustrated examples that walk you through the creation and application of Bayesian Networks using Python. You’ll learn how to model complex probabilistic relationships, perform reasoning under uncertainty, and make data-driven decisions that align with business objectives.
3. Business Communication and Decision-Making: The ability to translate complex cybersecurity risks into clear, actionable business language is a key skill highlighted in this primer. You’ll learn how to present cybersecurity threats in terms of probabilities and economic impact, enhancing your ability to communicate effectively with business leaders and executives.
4. Real-World Scenarios and Examples: The primer covers real-world cybersecurity scenarios where Bayesian Networks can be applied, such as predicting the likelihood of a phishing attack leading to a data breach. Each example is thoroughly explained with step-by-step instructions, ensuring you can apply these techniques to your own cybersecurity risk analysis.
5. Continual Learning and Updates: The primer emphasizes the importance of continual learning in the fast-evolving field of cybersecurity. It includes ongoing updates, new examples, and additional resources to help you stay current with the latest developments in Bayesian Networks and their application in cybersecurity.
6. Advanced Course Opportunity: If you’re ready to deepen your expertise, the primer introduces an advanced online course focused on Bayesian Networks for cybersecurity risk analysis in Python. This course offers in-depth tutorials, complete with videos, Jupyter Notebooks, and supporting documents, to take your skills to the next level.

By mastering the concepts and techniques presented in this primer, you’ll position yourself as a strategic cybersecurity advisor capable of aligning cybersecurity efforts with overall business strategy. This knowledge will make you an invaluable asset to any organization, setting you apart from other professionals in the field.

Copyright Notice

All content on this website and its sub-domains, including text, images, and programming code, is the sole property of Tim Layton and is protected by copyright law. © 2024 Tim Layton. All rights reserved. No part of the content on this website, including any subdomains, may be copied, reproduced, distributed, or transmitted in any form or by any means without the express written consent of Tim Layton. Unauthorized use of any content from this website is strictly prohibited and may result in legal action.

Free Primer: Bayesian Networks for Cybersecurity Risk Analysis in Python

A Bayesian Network is a type of model used to represent and understand how different factors (or variables) in a system are related to each other and how they influence the overall outcome. It’s a way of using both data and expert knowledge to make predictions or decisions based on uncertain or incomplete information.

Bayesian Networks are versatile tools that are used across a wide range of fields due to their ability to model complex probabilistic relationships and perform reasoning under uncertainty.

The Reasons Why a Bayesian Network is a Model

A model is a simplified representation of reality that helps us understand, predict, and make decisions about complex systems. In this case, a Bayesian Network is a model because:

Simplifies Complex Systems:

• It takes a complex system with many interacting parts, like cybersecurity, and breaks it down into simpler parts (nodes) that are easier to analyze.

Captures Relationships:

• The arrows and CPDs capture the cause-and-effect relationships between different factors. This is similar to how in real life, one event (like a phishing email) might lead to another event (like a data breach), but with probabilities attached to reflect uncertainty. The probabilities are assigned based on internal data and telemetry, industry benchmark data, or expert observations.

Predicts Outcomes:

• Once the network is built, you can use it to make predictions. For example, you might want to know the likelihood of a data breach if a phishing email is received. The Bayesian Network can calculate this for you based on the relationships and probabilities you’ve defined.

Handles Uncertainty:

• Real-life decisions often involve uncertainty. You might not know for sure if a phishing attempt will succeed or if a system has vulnerabilities. The Bayesian Network incorporates this uncertainty by working with probabilities, which makes it a powerful tool for decision-making in uncertain situations.

Simple Illustrative Example

Imagine you’re trying to predict the weather. 

You have several pieces of information:

• Whether it’s cloudy or sunny 
• The air pressure
• The temperature

A Bayesian Network could represent how these factors are related:

• Cloudy might influence Rain.
• Air Pressure might influence Rain.
• Temperature might influence Cloudy.

By knowing the history (priors) and probability of these factors and their relationships, you could use the network to predict the likelihood of rain.

Model Summary

A Bayesian Network is a model because it helps us understand and predict how different factors in a system (like cybersecurity threats) are connected. It simplifies the complex world by breaking it down into nodes and arrows, uses probabilities to handle uncertainty, and lets us make informed predictions. Even though the real world is complicated, a Bayesian Network allows us to map out these complexities and use them to make better decisions.

I share weekly insights on quantifying cyber risk in dollars, not colors — including Monte Carlo simulation, loss exceedance modeling, Cyber Value at Risk (VaR), and NIST CSF quantification. If you’re an executive, CISO, or security leader looking for practical, data-driven approaches to cyber risk, let’s connect on LinkedIn.

You can connect with me on LinkedIn and join my professional network.

Using Bayesian Networks for Risk Analysis

Bayesian Networks are particularly useful in risk analysis due to their ability to model complex, uncertain systems and their capability to update beliefs as new evidence is presented.

Predictive Modeling: Bayesian Networks can be used to predict the likelihood of various outcomes, given certain risks. For example, in financial risk analysis, a Bayesian Network can predict the probability of loan default based on factors like credit score, income, and employment history.

Diagnostic Analysis: They can also be used in a diagnostic capacity, where the outcome is known, but the cause is not. For instance, after a cybersecurity incident, a Bayesian Network can help determine the most likely source of the breach based on the evidence collected.

Decision Support: Bayesian Networks can support decision-making processes by providing a quantitative assessment of the risks involved. Decision-makers can explore different scenarios by changing the values of certain variables in the network and observing the effects on the outcome probabilities.

Updating Beliefs with New Evidence: A key feature of Bayesian Networks is their ability to update the probability estimates as new data becomes available. This is done through Bayesian inference, which recalculates the probabilities of the network in light of the new evidence, providing an updated view of the risks.

Bayesian Networks are powerful tools for risk analysis. They offer a structured approach to modeling and analyzing the complex interdependencies and uncertainties inherent in risk factors. They enable analysts to quantify and update their understanding of risks in light of new information, facilitating informed decision-making in uncertain environments.

Bayesian Network Use Cases & Examples

Here are some of the key fields where Bayesian Networks are commonly applied:

Healthcare and Medicine

• Diagnosis and Decision Support: Bayesian Networks are used to model the relationships between symptoms, diseases, and other medical factors. They assist in diagnosing medical conditions, predicting patient outcomes, and supporting clinical decision-making.
• Genetics: In genetics, Bayesian Networks can model the inheritance of traits and the relationships between genes and phenotypic expressions.

Artificial Intelligence and Machine Learning

• Reasoning and Inference: Bayesian Networks are fundamental in AI for reasoning under uncertainty. They help in making predictions, diagnosing issues, and inferring hidden variables based on observed data.
• Learning from Data: In machine learning, Bayesian Networks can be used for structure learning (discovering the network structure from data) and parameter learning (estimating the probabilities).

Cybersecurity

• Risk Analysis: Bayesian Networks are used to model and analyze cybersecurity risks, helping organizations understand the probability of various security breaches and the effectiveness of different security measures.
• Threat Detection: They are also used to detect and respond to potential cybersecurity threats by modeling attack paths and assessing vulnerabilities.

Finance and Economics

• Risk Management: In finance, Bayesian Networks are used to model and manage risks, such as credit risk, market risk, and operational risk.
• Fraud Detection: Bayesian Networks can help detect fraudulent activities by modeling the relationships between various financial transactions and customer behaviors.

Insurance Industry

• Underwriting and Risk Assessment: Bayesian Networks are used to evaluate the risk of insuring a particular client or policyholder by modeling the probabilistic relationships between various risk factors, such as age, health status, lifestyle, and past claims history. For example, an insurance company might use a Bayesian Network to predict the likelihood of a policyholder filing a claim based on their driving behavior, credit score, and vehicle type.
• Claims Fraud Detection: Similar to finance, Bayesian Networks can be used in the insurance industry to detect fraudulent claims by analyzing patterns in claim submissions, customer behavior, and external data sources.

Environmental Science

• Ecosystem Modeling: Bayesian Networks are used to model complex ecological systems, helping scientists understand the interactions between different species and environmental factors.
• Climate Change: They can model the probabilistic relationships between climate variables and predict the impact of climate change on different regions.

Engineering and Reliability Analysis

• Fault Diagnosis: In engineering, Bayesian Networks are used to diagnose faults in systems and predict the likelihood of failures based on sensor data and other observations.
• Reliability Modeling: They are used to model the reliability of complex systems, such as manufacturing processes, transportation networks, and infrastructure.

Social Sciences

• Behavioral Modeling: Bayesian Networks are used to model human behavior and social interactions, helping researchers understand how different factors influence decision-making.
• Policy Analysis: They can be used to analyze the potential impact of different policies by modeling the relationships between social, economic, and political variables.

Natural Language Processing (NLP)

• Speech Recognition: Bayesian Networks are used to model the probabilistic relationships between phonemes, words, and sentences in speech recognition systems.
• Text Classification: They can be used to classify text based on the probability of certain words or phrases appearing in different categories.

Robotics

• Sensor Fusion: Bayesian Networks help in combining information from multiple sensors to make decisions in uncertain environments.
• Path Planning: They are used to model the probabilistic outcomes of different actions in dynamic environments, aiding in navigation and decision-making.

Bioinformatics

• Gene Expression Analysis: Bayesian Networks are used to model the relationships between genes and predict the expression levels of different genes based on observed data.
• Protein Structure Prediction: They can help predict the 3D structure of proteins based on the probabilistic relationships between different molecular components.

Forensic Science

• Crime Scene Analysis: Bayesian Networks are used to model the relationships between evidence and potential suspects, helping forensic scientists assess the likelihood of different scenarios.
• Legal Decision Support: They assist in making decisions based on probabilistic reasoning, such as evaluating the strength of evidence in court cases.

Supply Chain and Operations Management

• Demand Forecasting: Bayesian Networks are used to model and predict demand for products based on historical data and external factors.
• Inventory Management: They help optimize inventory levels by modeling the probabilistic relationships between demand, supply, and lead times.

Use Case Summary

Bayesian Networks are widely used in fields that require modeling of uncertain and complex systems. Their ability to represent and reason with probabilistic dependencies makes them powerful tools in diverse areas such as healthcare, finance, cybersecurity, insurance, AI, environmental science, and many more.

I share weekly insights on quantifying cyber risk in dollars, not colors — including Monte Carlo simulation, loss exceedance modeling, Cyber Value at Risk (VaR), and NIST CSF quantification. If you’re an executive, CISO, or security leader looking for practical, data-driven approaches to cyber risk, let’s connect on LinkedIn.

5 Additional Cybersecurity Use Case Examples

Each of the five examples below is well-suited for Bayesian Network analysis, as Bayesian Networks are powerful tools for modeling probabilistic relationships and reasoning under uncertainty.

Here’s an explanation of how Bayesian Networks can be applied to each of these types of cybersecurity risk analysis:

1. Attack Surface Analysis

• Purpose: Attack surface analysis involves identifying and evaluating all the potential entry points (e.g., networks, systems, applications) that an attacker could exploit to compromise an organization’s security.
• Bayesian Network Suitability: Bayesian Networks can model the likelihood of exploitation of different entry points based on various factors such as system vulnerabilities, patch levels, and user behavior. By incorporating dependencies between different parts of the attack surface, a Bayesian Network can help in assessing the overall risk of an attack and guide the prioritization of security measures to protect the most vulnerable areas.

2. Behavioral Analytics

• Purpose: Behavioral analytics focuses on monitoring and analyzing user and entity behavior to detect anomalies that could indicate malicious activities, such as insider threats or compromised accounts.
• Bayesian Network Suitability: Bayesian Networks are particularly well-suited for modeling the relationships between different behavioral indicators and the probability of an insider threat or account compromise. By capturing the dependencies between various behavioral factors (e.g., login times, access patterns, data usage), Bayesian Networks can help in identifying high-risk behaviors and alerting security teams to potential security incidents.

3. Threat Intelligence Analysis

• Purpose: Threat intelligence analysis involves gathering and analyzing information about current and emerging threats from various sources (e.g., threat feeds, dark web, social media) to stay ahead of potential cyberattacks.
• Bayesian Network Suitability: Bayesian Networks can be used to model the relationships between different threat indicators, attack methods, and potential impacts. By integrating threat intelligence data with internal security data, organizations can use Bayesian Networks to predict the likelihood of specific attacks and identify the most relevant threats to their environment. This helps in proactively strengthening defenses against the most probable threats.
• Note: I have used the MITRE ATT&CK Framework for several different risk analysis scenarios and found them to be incredibly useful and insightful.

4. Incident Response Analysis

• Purpose: Incident response analysis focuses on investigating and analyzing security incidents to understand their root causes, impact, and how to prevent similar incidents in the future.
• Bayesian Network Suitability: Bayesian Networks can model the causal relationships between various factors involved in a security incident, such as the initial attack vector, detection mechanisms, and response actions. By analyzing these relationships, organizations can identify weaknesses in their incident response process and simulate the effectiveness of different response strategies, leading to more effective and efficient incident handling in the future.

5. Compliance and Regulatory Analysis

• Purpose: Compliance and regulatory analysis involves assessing an organization’s cybersecurity posture to ensure it meets industry standards, legal requirements, and regulations such as GDPR, HIPAA, or CCPA.
• Bayesian Network Suitability: Bayesian Networks can be used to model the relationships between different compliance controls, potential vulnerabilities, and regulatory outcomes. By understanding how different compliance measures interact, organizations can use Bayesian Networks to predict the likelihood of non-compliance and prioritize remediation efforts to address the most critical gaps. This helps in ensuring that the organization remains compliant with regulations while effectively managing risks.
• Note: I developed a comprehensive tool for the NIST CSF 2.0 framework to estimate the probability of a cyber breach incident based on the level of maturity scores for the NIST CSF core functions, categories, and sub-categories. I expanded the process to create Loss Exceedance Curves to quantify the magnitude and frequency of future losses based on the organization’s current cybersecurity posture.

Summary

Bayesian Networks offer a powerful way to model and analyze complex systems with many interdependent variables, making them well-suited for these five types of cybersecurity analysis and many others. By capturing the probabilistic relationships between various factors, Bayesian Networks enable more informed decision-making, proactive risk management, and enhanced security outcomes across different aspects of an organization’s cybersecurity strategy.

Bayes’ Theorem Primer

Bayes’ Theorem is a fundamental concept in probability theory and statistics that plays a crucial role in Bayesian Networks. It provides a way to update our beliefs or probabilities based on new evidence.

I have a comprehensive primer covering Bayes’ Theorem that I suggest you review before proceeding unless you are already up to speed.

If you need a brief refresher, read this section before proceeding with the rest of the article. If this information is new to you, I suggest reading my comprehensive primer covering Bayes’ Theorem before proceeding because I assume you understand the key principles of Bayes’ Theorem in this primer for Bayesian Networks.

What is Bayes’ Theorem?

Bayes’ Theorem describes the probability of an event based on prior knowledge of conditions that might be related to it. The theorem is named after Thomas Bayes, an 18th-century statistician.

The formula for Bayes’ Theorem is: P(A | B) = [P(B | A) * P(A)] / P(B)

Here’s what each term means:

• P(A|B): The probability of event A occurring given that B is true. This is called the posterior probability.
• P(B|A): The probability of event B occurring given that A is true. This is called the likelihood.
• P(A): The probability of event A occurring on its own, without any additional information. This is called the prior probability.
• P(B): The probability of event B occurring on its own. This is called the marginal likelihood or simply the evidence.

Understanding Bayes’ Theorem with an Example

Let’s consider a simple example related to cybersecurity. Suppose you’re interested in finding out the probability that your system is compromised (A) given that an unusual login attempt has been detected (B).

• P(A): The prior probability that your system is compromised. Let’s say this is 5% (0.05). This can be based on industry data if you don’t have access to internal data.
• P(B|A): The likelihood that an unusual login attempt would be detected if the system is compromised. Suppose this is 80% (0.80) based on your data source.
• P(B): The overall probability of detecting an unusual login attempt, whether the system is compromised or not. Assume this is 10% (0.10) for this educational example.

Using Bayes’ Theorem, you can calculate the posterior probability that the system is compromised given the unusual login attempt:

So, the probability that your system is compromised, given that an unusual login attempt has been detected, is 40%.

Let’s use the given example to calculate the probability that your system is compromised (A) given that an unusual login attempt has been detected (B).

Given Data:

• P(A) = 0.05 (5%): The prior probability that your system is compromised.
• P(B | A) = 0.80 (80%): The likelihood that an unusual login attempt would be detected if the system is compromised.
• P(B) = 0.10 (10%): The overall probability of detecting an unusual login attempt.

Applying Bayes’ Theorem

We can now plug these values into Bayes’ Theorem:

P(A | B) = [P(B | A) * P(A)] / P(B)

Substituting the given values:

P(A | B) = [0.80 * 0.05] / 0.10

Step-by-Step Calculation:

1. Calculate the numerator:

• P(B | A) * P(A) = 0.80 * 0.05
• 0.80 * 0.05 = 0.04

1. Calculate the posterior probability:

• P(A | B) = 0.04 / 0.10
• P(A | B) = 0.40

Final Interpretation:

The final result is:

P(A | B) = 0.40

This means that given an unusual login attempt, the probability that your system is compromised is 0.40, or 40%.

This calculation shows how Bayes’ Theorem allows you to update the probability of a system being compromised when you detect an unusual login attempt. By incorporating both the likelihood of the event given the condition and the prior probability, you get a more accurate estimate of the true risk.

Bayes’ Theorem in Bayesian Networks

In the context of Bayesian Networks, Bayes’ Theorem is used to update the probabilities of different variables (nodes) in the network based on the evidence. A Bayesian Network is a graphical model that represents the relationships between various variables using directed edges (arrows).

For instance, in a Bayesian Network modeling cybersecurity risks:

• Nodes represent different events or conditions (e.g., Phishing Email Received, Employee Clicks Link, Cyber Breach Occurs).
• Edges represent the dependencies or causal relationships between these events.

When you receive new evidence (like detecting a phishing email), Bayes’ Theorem helps you update the probabilities across the network, allowing you to make informed decisions based on the most current data.

Conclusion

Bayes’ Theorem is a powerful tool for quantifying the likelihood of an event given new information. In Bayesian Networks, this theorem is applied repeatedly to update the state of knowledge about the modeled system, enabling dynamic and data-driven decision-making in complex scenarios.

Whether you’re analyzing the risk of a cyber breach, diagnosing a medical condition, or predicting market trends, understanding and applying Bayes’ Theorem is key to making better probabilistic assessments.

Key Components of a Bayesian Network

A Bayesian Network is a powerful tool for modeling probabilistic relationships among a set of variables. If you’re new to Bayesian Networks, here’s an overview of the key components you’ll need to understand:

Nodes (Variables)

• Definition: In a Bayesian Network, each node represents a random variable. These variables can be anything you want to model, such as events, conditions, or states.
• Types of Variables: Variables can be discrete (e.g., “rain” vs. “no rain”) or continuous (e.g., temperature values). In most simple Bayesian Networks, variables are often discrete.
• Example: In a network modeling a medical diagnosis, nodes might represent symptoms (like “fever” or “cough”) and diseases (like “flu” or “cold”).

Edges (Arrows)

• Definition: Edges are the directed arrows that connect the nodes in the network. These arrows indicate the direction of influence or causality between the variables.
• Parent and Child Nodes: The node at the tail of an arrow is the parent, and the node at the head is the child. The parent node influences the child node.
• Example: In a network, if “Weather” is a parent node and “Rain” is a child node, the arrow from “Weather” to “Rain” indicates that the weather condition affects the likelihood of rain.

Conditional Probability Distributions (CPDs)

• Definition: CPDs define the probability of each possible state of a variable, given the states of its parent nodes. They capture the probabilistic relationships between the variables.
• Format: CPDs are often represented as tables (Tabular CPDs) where each row shows the probability of the variable given a specific combination of its parent nodes’ states.
• Example: If the variable “Rain” depends on “Weather,” the CPD for “Rain” might show the probability of rain given that the weather is cloudy, sunny, or stormy.
• Notes: In real world scenarios the CPDs can become complex very quickly and it is impossible to perform the compulations without a computer. Programming languages like Python have specialized libraries like pgmpy that make the process of performing the computations very fast and easy once you learn how to use the functions.

Conditional Probability Distributions (CPDs) in a Bayesian Network are related to Bayes’ Theorem, but they are not explicitly performing Bayes’ Theorem calculations themselves. Instead, they represent the probabilistic relationships between the variables in the network, which can be used to perform inference using Bayes’ Theorem.

How CPDs and Bayes’ Theorem Relate:

CPDs as Building Blocks:

• CPDs describe the probability of a variable given its parents in the network. For example, if you have a node (A) with parents (B) and (C), the CPD for (A) specifies P(A | B, C).
• These are the basic conditional probabilities that you need to perform inference across the network.

Inference Using Bayes’ Theorem:

• When you query a Bayesian Network (e.g., asking for the probability of a certain event given some evidence), the network uses Bayes’ Theorem along with the CPDs to compute the posterior probabilities.
• The inference process combines the CPDs of the relevant nodes, applying Bayes’ Theorem as needed to calculate the desired conditional probabilities.

Example:

Consider a simple Bayesian Network with two nodes: A and B, where A is a parent of B. 

The CPDs would be:

• P(A): Prior probability of A.
• P(B|A): Conditional probability of B given A.

If you want to calculate P(A|B), you would use Bayes’ Theorem:

P(A | B) = [P(B | A) * P(A)] / P(B)

• P(A | B): The probability of event A occurring given that event B has occurred.
• P(B | A): The probability of event B occurring given that event A has occurred.
• P(A): The probability of event A occurring.
• P(B): The probability of event B occurring.

This formula is Bayes’ Theorem, which relates the conditional probability of A given B to the conditional probability of B given A, as well as the individual probabilities of A and B.

Where:

• P(B) = P(B | A) * P(A) + P(B | not A) * P(not A)
• P(B): The probability of event B occurring.
• P(B | A): The probability of event B occurring given that event A has occurred.
• P(A): The probability of event A occurring.
• P(B | not A): The probability of event B occurring given that event A has not occurred.
• P(not A): The probability of event A not occurring.

This formula calculates the total probability of event B occurring, considering both the cases where A occurs and where A does not occur.

Example Scenario: Detecting a Phishing Attack Using Bayes’ Theorem

To illustrate how to manually use and calculate Bayes’ Theorem, let’s create a scenario where we want to determine the probability that a phishing attack (Event A) has occurred, given that a suspicious email (Event B) has been detected.

It is important to learn how the formulas work manually so that you will understand what is going on under the hood when you use libraries and functions in Python. Plus, you will be very thankful you don’t have to perform the calculations by hand like we do in this example.

Step 1: Define the Probabilities

P(A): The prior probability that a phishing attack has occurred.

• Let’s say from historical data, we know that the probability of a phishing attack is 5% (0.05).

P(B | A): The probability of detecting a suspicious email given that a phishing attack has occurred.

• Suppose the likelihood of detecting a suspicious email if a phishing attack has occurred is 90% (0.90).

P(B | not A): The probability of detecting a suspicious email given that a phishing attack has not occurred.

• Let’s assume there’s still a chance of detecting a suspicious email even if a phishing attack hasn’t occurred, say 20% (0.20).

P(not A): The probability that a phishing attack has not occurred.

• This is simply 1 – P(A) = 1 – 0.05 = 0.95.

Step 2: Calculate P(B), the Total Probability of B

The total probability of detecting a suspicious email (Event B) is calculated by considering both scenarios: when a phishing attack has occurred and when it hasn’t. The formula for this is:

P(B) = P(B | A) * P(A) + P(B | not A) * P(not A)

Substituting the values:

P(B) = (0.90 * 0.05) + (0.20 * 0.95)

Step 3: Perform the Calculation

Calculate P(B | A) * P(A):

• 0.90 * 0.05 = 0.045

Calculate P(B | not A) * P(not A):

• 0.20 * 0.95 = 0.19

Calculate P(B):

• P(B) = 0.045 + 0.19
• P(B) = 0.235

Step 4: Calculate P(A | B) Using Bayes’ Theorem

Now, we can calculate the probability that a phishing attack has occurred given that a suspicious email has been detected using Bayes’ Theorem:

P(A | B) = [P(B | A) * P(A)] / P(B)

Substituting the values:

P(A | B) = [0.90 * 0.05] / 0.235

Step 5: Perform the Final Calculation

1. Calculate the numerator:

• 0.90 * 0.05 = 0.045

1. Calculate the posterior probability P(A | B):

• P(A | B) = 0.045 / 0.235
• P(A | B) ≈ 0.1915

Final Result

The posterior probability that a phishing attack has occurred given that a suspicious email has been detected is approximately 0.1915, or 19.15%.

Scenario Summary

In this scenario, even though the prior probability of a phishing attack was only 5%, detecting a suspicious email increased the likelihood of a phishing attack to 19.15%. This example illustrates how Bayes’ Theorem allows us to update the probability of an event based on new evidence, making it a powerful tool for decision-making in cybersecurity and many other fields.

In Summary:

• CPDs in a Bayesian Network provide the necessary conditional probabilities for each node given its parents.
• Bayes’ Theorem is applied during inference to update beliefs based on evidence and to compute posterior probabilities.
• The Bayesian Network structure and its CPDs allow for efficient computation of complex probabilistic queries, often involving multiple applications of Bayes’ Theorem.

You can connect with me on LinkedIn and join my professional network.

I share weekly insights on quantifying cyber risk in dollars, not colors — including Monte Carlo simulation, loss exceedance modeling, Cyber Value at Risk (VaR), and NIST CSF quantification. If you’re an executive, CISO, or security leader looking for practical, data-driven approaches to cyber risk, let’s connect on LinkedIn.

Understanding Prior, Likelihood, & Posterior

Make sure you fully understand prior probability, likelihood, and posterior probability before moving forward.

Key Concepts:

• Prior Probability: The initial probability of an event or hypothesis before new evidence is taken into account. It represents your belief about the event before you see any data.
• Likelihood: The probability of observing the data given that the hypothesis is true. It represents how likely the observed data is under the assumption that a particular hypothesis is correct.
• Posterior Probability: The probability of the hypothesis after considering the new evidence. It combines the prior probability with the likelihood of the observed data to update the belief about the hypothesis.

If you need a refresher on Bayes’ Theorem, review that section below before proceeding with this example.

Example Scenario: Medical Diagnosis

Suppose you’re a doctor diagnosing a disease. 

After applying Bayes’ Theorem, the posterior probability tells you the updated probability that the patient has the disease given the test result.

• Prior Probability: The probability that a patient has the disease is 5%, or 0.05.
• Likelihood: The probability of getting a positive test result if the patient has the disease is 90%, or 0.90.
• Probability of Positive Test Result (Marginal Likelihood): The overall probability of getting a positive test result, considering all patients, is 10%, or 0.10.

Applying Bayes’ Theorem:

Bayes’ Theorem formula in this context is:

P(Disease | Positive Test) = [P(Positive Test | Disease) * P(Disease)] / P(Positive Test)

Where:

• P(Disease | Positive Test) is the posterior probability: the probability that the patient has the disease given the positive test result.
• P(Positive Test | Disease) is the likelihood: the probability of getting a positive test result given that the patient has the disease (0.90).
• P(Disease) is the prior probability: the initial probability that the patient has the disease (0.05).
• P(Positive Test) is the marginal likelihood: the overall probability of getting a positive test result (0.10).

Inserting the Values:

P(Disease | Positive Test) = [0.90 * 0.05] / 0.10

Simplifying:

P(Disease | Positive Test) = 0.045 / 0.10

P(Disease | Positive Test) = 0.45

Conclusion:

After applying Bayes’ Theorem, the posterior probability that the patient has the disease given a positive test result is 0.45, or 45%.

This means that even with a positive test result, there’s a 45% chance that the patient actually has the disease, given the prior probability and the likelihood.

I share weekly insights on quantifying cyber risk in dollars, not colors — including Monte Carlo simulation, loss exceedance modeling, Cyber Value at Risk (VaR), and NIST CSF quantification. If you’re an executive, CISO, or security leader looking for practical, data-driven approaches to cyber risk, let’s connect on LinkedIn.

Remaining Key Components of a Bayesian Network

Directed Acyclic Graph (DAG)

• Definition: A Bayesian Network is structured as a Directed Acyclic Graph (DAG). In a DAG, the arrows (edges) are directed, and there are no cycles (i.e., you can’t start at one node and follow the arrows back to the same node).
• Purpose: The DAG represents the structural dependencies among the variables. The absence of cycles ensures that the network represents a valid probabilistic model.
• Example: A DAG might show how different risk factors (like smoking and genetic predisposition) influence the likelihood of developing a disease.

Joint Probability Distribution

• Definition: The joint probability distribution (JPD) of all variables in the Bayesian Network represents the probability of every possible combination of states for all the variables. The network allows this complex distribution to be factorized into smaller, more manageable pieces using the CPDs.
• Purpose: The JPD enables you to calculate the probability of any event or combination of events by multiplying the probabilities specified in the CPDs.
• Example: In a medical diagnosis network, the JPD might give the probability of a patient having both a fever and a cold, given the overall structure of the network.

Inference

• Definition: Inference is the process of computing the posterior probabilities of some variables, given evidence about other variables in the network. It’s how you “query” the network to make predictions or diagnose conditions.
• Types of Inference: Common inference tasks include finding the probability of a variable given some evidence (marginalization) or determining the most likely state of a set of variables (maximum a posteriori, or MAP).
• Example: If you know that a patient has a fever, you might use inference to calculate the probability that the patient has the flu.

Evidence

• Definition: Evidence is the information or data you have about certain variables in the network. When you input this evidence into the network, it updates the probabilities of other variables.
• Observed vs. Unobserved Variables: Evidence relates to observed variables (variables for which you have data). The goal of inference is to update the probabilities of unobserved variables based on this evidence.
• Example: In a network assessing disease risk, if you know a patient has a high fever (evidence), you can update the probabilities of various diseases that might be causing it.

Summary of Components:

1. Nodes (Variables): Represent random variables in the network.
2. Edges (Arrows): Show the direction of influence or dependency between variables.
3. Conditional Probability Distributions (CPDs): Define the probability of each variable given its parents.
4. Directed Acyclic Graph (DAG): The structure of the network, showing dependencies without cycles.
5. Joint Probability Distribution: The combined probability of all variables, derived from the CPDs.
6. Inference: The process of updating probabilities based on evidence.
7. Evidence: Known values of certain variables used to update the network’s predictions.

Understanding these components will help you grasp how Bayesian Networks model complex systems and make probabilistic predictions based on available data.

The Conditional Probability Distributions (CPDs) in a Bayesian Network are related to Bayes’ Theorem, but they are not explicitly performing Bayes’ Theorem calculations themselves. Instead, they represent the probabilistic relationships between the variables in the network, which can be used to perform inference using Bayes’ Theorem.

In Summary:

• CPDs in a Bayesian Network provide the necessary conditional probabilities for each node given its parents.
• Bayes’ Theorem is applied during inference to update beliefs based on evidence and to compute posterior probabilities.
• The Bayesian Network structure and its CPDs allow for efficient computation of complex probabilistic queries, often involving multiple applications of Bayes’ Theorem.

You can connect with me on LinkedIn and join my professional network.

I share weekly insights on quantifying cyber risk in dollars, not colors — including Monte Carlo simulation, loss exceedance modeling, Cyber Value at Risk (VaR), and NIST CSF quantification. If you’re an executive, CISO, or security leader looking for practical, data-driven approaches to cyber risk, let’s connect on LinkedIn.

Utilizing pgmpy Python Library for Bayesian Networks in Cybersecurity Risk Analysis

Bayesian Networks are a powerful tool in cybersecurity risk analysis, allowing us to model the probabilistic relationships between different variables that could lead to security breaches.

The Python library pgmpy is particularly useful for constructing, analyzing, and inferring from Bayesian Networks. In this section, we will explore how pgmpy can be leveraged to create a Bayesian Network for assessing the risk of a cyber breach due to phishing emails.

Key Classes and Functions in pgmpy

Before diving into an example, it’s essential to understand the key components provided by pgmpy:

BayesianModel:

• This class is the core of Bayesian Network creation. It is used to define the structure of the network by specifying the directed edges between nodes (variables).
• Functions:
  • add_nodes_from(): Adds multiple nodes to the network.
  • add_edges_from(): Adds multiple directed edges to define relationships between nodes.
  • fit(): Used to estimate the conditional probability distribution (CPD) from data.
  • get_cpds(): Retrieves the CPDs for each node.

TabularCPD:

• This class is used to define the Conditional Probability Distributions (CPDs) for each node in the network.
• Functions:
  • __init__(): Initializes a CPD with the given variable, variable states, and the CPD table.
  • to_values(): Converts the CPD into a value table, useful for inspection.

Inference:

• The pgmpy library provides several classes for performing inference on the network, with VariableElimination being the most commonly used.
• Functions:
  • query(): Allows querying the network for the probability distribution of certain variables given evidence.

Full Working Example # 1: Bayesian Network for Phishing Emails Leading to Cyber Breach

Before we design our Bayesian Network for this example, you need to understand how relationship work.

In Bayesian Networks, there are three primary types of relationships (or connections) between nodes:

Serial Connection (Chain)

• Description: Nodes are connected in a sequence, forming a chain of dependencies.
• Example: A → B → C
• Explanation: In this structure, A influences B, and B influences C. The relationship between A and C is indirect, mediated by B.

Diverging Connection (Fork)

• Description: One parent node has multiple child nodes.
• Example: A → B and A → C
• Explanation: In this structure, A is the common cause of both B and C. A diverges to influence both B and C independently.

Converging Connection (V-Structure or Collider)

• Description: Multiple parent nodes influence a single child node.
• Example: B → A ← C
• Explanation: In this structure, both B and C influence A. The relationship between B and C is said to be dependent when A is known (this is a key point in d-separation).

Additional Concepts Related to Relationships:

• d-Separation: A concept used to determine whether a set of nodes is independent of another set of nodes given a third set. It helps identify conditional independencies in the network.
• Conditional Independence: In Bayesian Networks, certain variables may be conditionally independent of each other given some other variables. The structure of the network and the type of connection determine these independencies.

These three types of connections form the basis of how dependencies and relationships are modeled in Bayesian Networks, representing complex probabilistic relationships between variables.

Let’s create a simple Bayesian Network using pgmpy that models the probability of a cyber breach following phishing emails. In this network, we’ll consider three variables:

• Phishing Email Received (PER)
• Employee Clicks Link (ECL)
• Cyber Breach Occurs (CBO)

The relationships are as follows:

• Receiving a phishing email increases the chance of an employee clicking a malicious link.
• Clicking the link increases the probability of a cyber breach.
• PER → ECL → CBO

Directed Acyclic Graph (DAG)

Here’s a simple text representation of the Directed Acyclic Graph (DAG) for the Bayesian Network phishing example:

Phishing Email Received (PER)
         |
         v
Employee Clicks Link (ECL)
         |
         v
   Cyber Breach Occurs (CBO)

In this DAG:

• The arrow from PER (Phishing Email Received) to ECL (Employee Clicks Link) indicates that receiving a phishing email influences the likelihood of an employee clicking the link.
• The arrow from ECL (Employee Clicks Link) to CBO (Cyber Breach Occurs) shows that clicking the link affects the probability of a cyber breach occurring.

This structure represents the causal relationships in the Bayesian Network used for the cybersecurity risk analysis.

The Bayesian Network in this example represents a chain structure.

Here’s why:

• The network has three nodes: PER (Phishing Email Received), ECL (Employee Clicks Link), and CBO (Cyber Breach Occurs).
• The edges are directed as follows: PER → ECL → CBO.

In a chain structure:

• Information flows in a linear sequence from one node to the next.
• In this case, PER influences ECL, and ECL influences CBO.

This is distinct from a fork structure (where one parent influences multiple children) and a V-structure (where two independent nodes converge on a common child).

Here are the tables for each of the Conditional Probability Distributions (CPDs) used in the example program.

In a real-world workflow, you should create each of the CPD tables for your Bayesian Network Model and assign the probabilities with firsthand emperical data, expert observations as approprite, and industry breach benchmark data. In your assumptions and disclosures, you should clearly state the sources of your data used for the model.

CPD for Phishing Email Received (PER)

This CPD represents the probability of receiving a phishing email.

+--------+----------+
|  PER   | P(PER)   |
+========+==========+
| PER(0) |   0.80   |  # 80% chance of not receiving a phishing email
+--------+----------+
| PER(1) |   0.20   |  # 20% chance of receiving a phishing email
+--------+----------+

CPD for Employee Clicks Link (ECL)

This CPD represents the probability of an employee clicking on a malicious link, given whether they received a phishing email.

+--------+--------+--------+
|  PER   |  ECL(0) |  ECL(1) |
+========+========+========+
| PER(0) |   0.90  |   0.10  |  # 90% chance of not clicking the link if no phishing email received
|        |         |         |  # 10% chance of clicking the link if no phishing email received
+--------+--------+--------+
| PER(1) |   0.40  |   0.60  |  # 40% chance of not clicking the link if phishing email received
|        |         |         |  # 60% chance of clicking the link if phishing email received
+--------+--------+--------+

CPD for Cyber Breach Occurs (CBO)

This CPD represents the probability of a cyber breach occurring, given whether the employee clicked the link.

+--------+--------+--------+
|  ECL   |  CBO(0) |  CBO(1) |
+========+========+========+
| ECL(0) |   0.95  |   0.05  |  # 95% chance of no breach if link not clicked
|        |         |         |  # 5% chance of breach if link not clicked
+--------+--------+--------+
| ECL(1) |   0.20  |   0.80  |  # 20% chance of no breach if link clicked
|        |         |         |  # 80% chance of breach if link clicked
+--------+--------+--------+

Summary of CPD Tables

• PER: Represents the prior probability of receiving a phishing email.
• ECL: Conditional probability of an employee clicking on the link based on whether a phishing email was received.
• CBO: Conditional probability of a cyber breach occurring based on whether the link was clicked.

These tables provide a clear overview of the probabilities at each node in the Bayesian Network, which are then used to infer the overall risk of a cyber breach in the example program.

Feel free to change the probabilities based on the data from your environment to get a more realistic probability of cyber breach.

Python Program # 1

Summary of Steps to Create the Bayesian Network in Python

1. Define Network Structure: Establish the relationships between variables.
2. Define CPDs: Specify the conditional probabilities for each variable.
3. Add CPDs: Integrate the CPDs into the Bayesian Network model.
4. Validate Model: Ensure the network is correctly configured.
5. Compute Probabilities: Use inference to calculate the desired probabilities.

Here’s how you can implement this in Python:

###############################################################################################################
# Privacy & Copyright Notice
# 
# This Python program is the intellectual property of Tim Layton. 
# All rights reserved, 2024.
#
# By accessing, running, or using this program in any way, you agree to the following terms:
#
# 1. **Confidentiality**: The contents of this program, including all code, comments, and outputs, are confidential. 
#    You are prohibited from sharing, copying, distributing, or using this program or any part thereof without 
#    the express written consent of Tim Layton.
#
# 2. **Usage**: This program is intended for personal or educational use within the boundaries set by Tim Layton.
#    Any commercial use, modification, or redistribution without authorization is strictly prohibited.
#
# 3. **Data Handling**: This program may involve the processing of data. Ensure that any data used or processed 
#    complies with all applicable data protection laws and regulations. Tim Layton is not responsible for any misuse 
#    or unauthorized handling of data by users of this program.
#
# 4. **Liability**: Tim Layton provides this program "as is" without any warranties for educational purposes.
# Tim Layton shall not be held liable for any damages or losses that may arise from the use of this program.
#
# For any inquiries or to request permissions, please contact Tim Layton directly at https://timlayton.blog/contact/
###############################################################################################################

import os
from pgmpy.models import BayesianNetwork
from pgmpy.factors.discrete import TabularCPD
from pgmpy.inference import VariableElimination

# Optional: Set the maximum number of threads for NumExpr
os.environ["NUMEXPR_MAX_THREADS"] = "8"

# STEP 1: Define the Bayesian Network structure
model = BayesianNetwork([('PER', 'ECL'), ('ECL', 'CBO')])

# STEP 2: Define the CPDs (Conditional Probability Distributions)
cpd_PER = TabularCPD(variable='PER', variable_card=2, values=[[0.8], [0.2]])  # 20% chance of receiving a phishing email
cpd_ECL = TabularCPD(variable='ECL', variable_card=2,
                     values=[[0.9, 0.4], [0.1, 0.6]],
                     evidence=['PER'], evidence_card=[2])  # Conditional on PER
cpd_CBO = TabularCPD(variable='CBO', variable_card=2,
                     values=[[0.95, 0.2], [0.05, 0.8]],
                     evidence=['ECL'], evidence_card=[2])  # Conditional on ECL

# STEP 3: Add CPDs to the model
model.add_cpds(cpd_PER, cpd_ECL, cpd_CBO)

# STEP 4: Check if the model is valid
assert model.check_model()

# STEP 5: Compute Probabilities
# Perform inference
inference = VariableElimination(model)

# Query: What is the probability of a cyber breach given that a phishing email was received?
result = inference.query(variables=['CBO'], evidence={'PER': 1})
print(result)

Explanation of the Code:

This program demonstrates how to create a Bayesian Network using the pgmpy Python library to model the probability of a cyber breach occurring due to a phishing email.

Importing Required Modules:

• We begin by importing the necessary classes and functions from pgmpy.
• BayesianNetwork: This class is used to define the structure of the Bayesian Network.
• TabularCPD: This class is used to define the Conditional Probability Distributions (CPDs) for each node in the network.
• VariableElimination: This class is used to perform inference on the Bayesian Network.

Optional NumExpr Configuration:

• We set the NUMEXPR_MAX_THREADS environment variable to 8. This controls the number of threads used by NumExpr, a library used internally by pgmpy for performance optimization. This step is optional and primarily suppresses an informational message about thread usage.

Defining the Bayesian Network Structure:

• We create a BayesianNetwork object named model. The structure of the network is defined by adding directed edges between nodes. In this example:
  • PER (Phishing Email Received) → ECL (Employee Clicks Link)
  • ECL (Employee Clicks Link) → CBO (Cyber Breach Occurs)

Defining Conditional Probability Distributions (CPDs):

In the Bayesian Network model described in the code, three Conditional Probability Distributions (CPDs) are defined, representing the relationships between different variables in a cybersecurity scenario:

Phishing Email Received (PER)

• PER(0): The probability of not receiving a phishing email is 80% (0.8).
• PER(1): The probability of receiving a phishing email is 20% (0.2).

Employee Clicks Link (ECL) – Conditional on whether a phishing email was received:

• If no phishing email was received (PER(0)):
  • ECL(0): 90% probability of not clicking the link.
  • ECL(1): 10% probability of clicking the link.
• If a phishing email was received (PER(1)):
  • ECL(0): 40% probability of not clicking the link.
  • ECL(1): 60% probability of clicking the link.

Cyber Breach Occurs (CBO) – Conditional on whether the employee clicked the link:

• If the link was not clicked (ECL(0)):
  • CBO(0): 95% probability that no breach occurs.
  • CBO(1): 5% probability that a breach occurs.
• If the link was clicked (ECL(1)):
  • CBO(0): 20% probability that no breach occurs.
  • CBO(1): 80% probability that a breach occurs.

Adding CPDs to the Network:

• We add the defined CPDs to the Bayesian Network using the add_cpds() method.

Model Validation:

• We validate the model with check_model() to ensure all CPDs are correctly defined and consistent with the network structure.

Performing Inference:

• We use the VariableElimination class to perform inference on the network.
• In this example, we query the network to calculate the probability of a cyber breach (CBO) given that a phishing email was received (PER = 1).

Output:

• The result of the query is printed, showing the calculated probability distribution of a cyber breach occurring under the given conditions.

+--------+------------+
| CBO    |   phi(CBO) |
+========+============+
| CBO(0) |     0.5000 |
+--------+------------+
| CBO(1) |     0.5000 |
+--------+------------+

Interpreting the Output

The output of the program is presented in a table that shows the probability distribution of the variable CBO (Cyber Breach Occurs) given the evidence that a phishing email was received (PER = 1). Here’s how to interpret the output:

• CBO(0): This represents the scenario where a cyber breach does not occur.
• CBO(1): This represents the scenario where a cyber breach does occur.

The corresponding probabilities are shown in the phi(CBO) column:

• CBO(0) | 0.5000: The probability that a cyber breach does not occur is 50%.
• CBO(1) | 0.5000: The probability that a cyber breach does occur is 50%.

What This Means

Given that a phishing email has been received, the Bayesian Network calculates that there is an equal probability (50%) of a cyber breach occurring or not occurring. This 50/50 probability suggests that, based on the structure and the conditional probabilities defined in the model, the occurrence of a breach is as likely as its non-occurrence under these specific conditions.

Further Considerations

• Model Refinement: The equal probabilities might indicate that the model could benefit from additional data or more refined conditional probabilities to more accurately reflect the real-world risk. For instance, if in reality, a cyber breach is more likely following a phishing email, the model’s CPDs might need to be adjusted to reflect this.
• Risk Management: In a practical setting, this output could be used to inform risk management decisions. Knowing that there is a significant risk of a breach (50% chance) after a phishing email might prompt stronger security measures, such as more rigorous training for employees or enhanced monitoring of network activity.
• Risk Modeling: One of the biggest benefits of using Bayesian Networks for cybersecurity risk analysis is the ability to update and revise the model with new probabilities before you invest in new controls. For example, if you wanted to reduce the probability of your users receiving an email by installing a new email filtering solution, you can revise your model and probabilities and run the program again before making an investment decision.

Example Risk Modeling Revisions

For example, if the new email filtering solution will filter out 99% of all phishing emails and you only expect 1% of all emails to reach your users to be phishing related, you could update the CPDs as shown below and then run the program again to compute the new probability of cyber breach based on the new model.

Revised CPD for Phishing Email Received (PER)

This CPD represents the probability of receiving a phishing email.

+--------+----------+
|  PER   | P(PER)   |
+========+==========+
| PER(0) |   0.99   |  # 80% chance of not receiving a phishing email
+--------+----------+
| PER(1) |   0.01   |  # 1% chance of receiving a phishing email
+--------+----------+

CPD for Employee Clicks Link (ECL)

This CPD represents the probability of an employee clicking on a malicious link, given whether they received a phishing email. You started running a new internal phishing program every month and learned that about 7% of your users were clicking on the phishing campaign emails. You revised the model based on this new information.

+--------+--------+--------+
|  PER   |  ECL(0) |  ECL(1) |
+========+========+========+
| PER(0) |   0.90  |   0.10  |  # 99% chance of not clicking the link if no phishing email received
|        |         |         |  # 1% chance of clicking the link if no phishing email received
+--------+--------+--------+
| PER(1) |   0.40  |   0.60  |  # 93% chance of not clicking the link if phishing email received
|        |         |         |  # 7% chance of clicking the link if phishing email received
+--------+--------+--------+

CPD for Cyber Breach Occurs (CBO)

This CPD represents the probability of a cyber breach occurring, given whether the employee clicked the link. Based on your organizations compensating controls (e.g. malware detection, IDS, IPS, Firewall, etc.) you believe there is about a 10% probability of a breach event if the user clicks on a real phishing email link.

+--------+--------+--------+
|  ECL   |  CBO(0) |  CBO(1) |
+========+========+========+
| ECL(0) |   0.95  |   0.05  |  # 99% chance of no breach if link not clicked
|        |         |         |  # 1% chance of breach if link not clicked
+--------+--------+--------+
| ECL(1) |   0.20  |   0.80  |  # 10% chance of no breach if link clicked
|        |         |         |  # 90% chance of breach if link clicked
+--------+--------+--------+

Updated CPDs in Python Code For Program # 1

###############################################################################################################
# Privacy & Copyright Notice
# 
# This Python program is the intellectual property of Tim Layton. 
# All rights reserved, 2024.
#
# By accessing, running, or using this program in any way, you agree to the following terms:
#
# 1. **Confidentiality**: The contents of this program, including all code, comments, and outputs, are confidential. 
#    You are prohibited from sharing, copying, distributing, or using this program or any part thereof without 
#    the express written consent of Tim Layton.
#
# 2. **Usage**: This program is intended for personal or educational use within the boundaries set by Tim Layton.
#    Any commercial use, modification, or redistribution without authorization is strictly prohibited.
#
# 3. **Data Handling**: This program may involve the processing of data. Ensure that any data used or processed 
#    complies with all applicable data protection laws and regulations. Tim Layton is not responsible for any misuse 
#    or unauthorized handling of data by users of this program.
#
# 4. **Liability**: Tim Layton provides this program "as is" without any warranties for educational purposes.
# Tim Layton shall not be held liable for any damages or losses that may arise from the use of this program.
#
# For any inquiries or to request permissions, please contact Tim Layton directly at https://timlayton.blog/contact/
###############################################################################################################

import os
from pgmpy.models import BayesianNetwork
from pgmpy.factors.discrete import TabularCPD
from pgmpy.inference import VariableElimination

# Optional: Set the maximum number of threads for NumExpr
os.environ["NUMEXPR_MAX_THREADS"] = "8"

# Define the Bayesian Network structure
model = BayesianNetwork([('PER', 'ECL'), ('ECL', 'CBO')])

# Define the CPDs (Conditional Probability Distributions)

cpd_PER = TabularCPD(variable='PER', variable_card=2, values=[[0.99], [0.01]])  # 1% chance of receiving a phishing email

cpd_ECL = TabularCPD(variable='ECL', variable_card=2,
                     values=[[0.99, 0.07], [0.01, 0.93]],  
                     evidence=['PER'], evidence_card=[2])  # Conditional on PER
cpd_CBO = TabularCPD(variable='CBO', variable_card=2,
                     values=[[0.99, 0.9], [0.01, 0.1]],
                     evidence=['ECL'], evidence_card=[2])  # Conditional on ECL

# Add CPDs to the model
model.add_cpds(cpd_PER, cpd_ECL, cpd_CBO)

# Check if the model is valid
assert model.check_model()

# Perform inference
inference = VariableElimination(model)

# Query: What is the probability of a cyber breach given that a phishing email was received?
result = inference.query(variables=['CBO'], evidence={'PER': 1})
print(result)

New Output

+--------+----------+
|   CBO  | phi(CBO) |
+========+==========+
| CBO(0) | 0.9063   |
+--------+----------+
| CBO(1) | 0.0937   |
+--------+----------+

Based on the revised probabilities and model updates, the new probability of a cyber breach event from one of your users clicking on a phishing email link is approximately 9% with the new email filtering solution vs. 50% previously.

This is valuable information which can impact your decision on purchasing the new email filtering solution or not.

In my case, I would create a loss exceedance curve to compute the future loss scenarios and compare them to give decision makers a comprehensive understanding of the probabilities and losses, but that is beyond the scope of this primer. The probability of cyber breach computed in this example program would serve as an input to the loss exceedance program. By combining the probability of cyber breach with the loss exceedance forecast, you can quantify cybersecurity risks in economic terms for decision makers and present the information in clear business terms that they can understand and use to make higher quality informed risk-based decisions.

This program’s output gives a straightforward probabilistic assessment based on the current model, which can be a valuable part of a broader cybersecurity risk analysis and risk modeling.

Conclusion

By using pgmpy, you can create Bayesian Networks that model complex cybersecurity scenarios, allowing you to perform probabilistic reasoning and make informed decisions about risk management. This basic example illustrates how phishing emails could lead to a cyber breach, but the same principles can be extended to model more intricate systems with additional variables and dependencies.

The pgmpy library is a robust tool that can be integrated into your cybersecurity risk analysis toolkit, providing a structured way to assess and mitigate potential threats.

Data and Bayesian Networks

Bayesian Network models are an excellent choice for cybersecurity risk analysis, particularly in scenarios where both empirical data and expert opinion are essential, for several key reasons.

Empirical Data

Empirical data refers to the information gathered through observations, experiments, or historical records. In cybersecurity, this might include data on past breaches, log files, incident reports, vulnerability assessments, and other quantifiable metrics.

Bayesian Networks can effectively integrate this empirical data, allowing for a structured representation of the relationships between various risk factors. For instance, data on the frequency of phishing attacks, the success rate of different types of attacks, and the subsequent impact on an organization can be incorporated into the network. This empirical data forms the foundation of the probabilistic reasoning within a Bayesian Network, providing a data-driven basis for assessing the likelihood of different cyber threats and their potential consequences.

Expert Opinion

In many cybersecurity scenarios, especially in areas where data may be sparse or where emerging threats are concerned, expert opinion becomes a crucial element of risk analysis. Experts can provide insights based on their experience and understanding of the current threat landscape, predicting potential attack vectors, assessing the effectiveness of security controls, or estimating the likelihood of new types of attacks.

Bayesian Networks are uniquely suited to combine this qualitative expert judgment with empirical data. By integrating expert opinion into the network, we can fill in gaps where data is unavailable or uncertain, adjust probabilities to reflect expert insights, and model complex, evolving scenarios that may not yet be fully captured by empirical data alone.

Combining Empirical Data and Expert Opinion

The strength of Bayesian Networks lies in their ability to combine empirical data and expert opinion seamlessly. In cybersecurity, where the environment is dynamic and threats constantly evolve, relying solely on historical data may not provide a complete picture. Conversely, expert opinion alone may lack the quantifiable rigor that data provides. Bayesian Networks allow for the integration of both, creating a model that is both robust and adaptable. This combined approach enables organizations to make informed decisions that consider both the statistical evidence from past events and the informed predictions of seasoned professionals.

In summary, Bayesian Networks provide a powerful framework for cybersecurity risk analysis by leveraging both empirical data and expert opinion. This dual approach ensures that risk assessments are comprehensive, incorporating both the rigor of data analysis and the foresight of expert judgment, making Bayesian Networks an indispensable tool in the ever-changing landscape of cybersecurity.

Modeling Complex Dependencies

• Capturing Interdependencies: Cybersecurity systems are complex, with multiple interdependent components (e.g., firewalls, user behavior, software vulnerabilities). Bayesian Networks are well-suited to model these interdependencies, showing how the state of one component (like user awareness) can influence others (like the success of a phishing attack).
• Scenario Analysis: Bayesian Networks enable “what-if” scenarios. For example, you can easily assess how the likelihood of a data breach changes if certain conditions are met (e.g., a successful phishing attempt or the presence of a system vulnerability).

Dynamic Updating with New Information

• Learning from New Data: As new data becomes available (e.g., after an incident occurs or new vulnerabilities are discovered), Bayesian Networks can be updated to reflect this new information, making the model more accurate over time.
• Incorporating Continuous Monitoring: In a dynamic field like cybersecurity, where new threats emerge constantly, Bayesian Networks can be updated dynamically as new evidence is gathered, providing real-time risk assessment.

Visual and Intuitive Representation

• Ease of Communication: Bayesian Networks offer a visual representation of the relationships between different factors. This makes it easier to communicate complex risk scenarios to stakeholders, including those who may not have a deep technical background.
• Clear Cause-and-Effect Relationships: The structure of a Bayesian Network clearly shows cause-and-effect relationships, helping decision-makers understand how different risks are connected and what factors are driving the risk of a particular outcome (e.g., a data breach).

Quantitative Risk Assessment

• Quantifying Expert Opinion: Experts can quantify their opinions in terms of probabilities, which are then integrated into the Bayesian Network. This allows for a more structured and consistent way to incorporate expert knowledge into the risk analysis process.
• Prioritization of Risks: By calculating the probabilities of various outcomes, Bayesian Networks help prioritize risks, focusing resources on the most likely or most impactful threats.

Scenario Simulation and Decision Support

• Testing Mitigation Strategies: Bayesian Networks allow you to simulate the impact of different cybersecurity strategies (e.g., improving user training or patching vulnerabilities) before they are implemented, helping to identify the most effective measures.
• Supporting Decision-Making: The ability to simulate scenarios and update the network with new data makes Bayesian Networks a powerful decision-support tool, guiding organizations in making informed choices about where to allocate resources and how to respond to emerging threats.

Summary

Bayesian Network models are a strong fit for cybersecurity risk analysis because they effectively combine empirical data with expert opinion, handle uncertainty, and model complex interdependencies. They provide a clear, visual, and quantitative approach to risk assessment, enabling organizations to dynamically update their understanding of risks and make informed decisions. This makes them especially useful in the fast-paced, constantly evolving field of cybersecurity, where both historical data and expert insights are crucial for managing risk.

You can connect with me on LinkedIn and join my professional network.

I share weekly insights on quantifying cyber risk in dollars, not colors — including Monte Carlo simulation, loss exceedance modeling, Cyber Value at Risk (VaR), and NIST CSF quantification. If you’re an executive, CISO, or security leader looking for practical, data-driven approaches to cyber risk, let’s connect on LinkedIn.

I routinely update and add new examples to help expand your knowledge and learn how flexible Bayesian Networks and Python is for cybersecurity risk analysis. I include videos, full working code in Jupytr Notebooks, and supporting documents.