First, an example of the use of Bayes Inference
In one of the most well known uses of Bayes Inference, Alan Turing broke the German secret code used by the Enigma Machine thus saving thousands of lives. All he had was the machine and no experience or data.
Today, imagine trying to find a way to assess board level conformance to cyber best practices when much of the information is stored in its own “Enigma Machine” – thousands of files, reams of board notes, and reports provided by operations scattered across departments, divisions, companies, and continents.
Let’s compound the problem by requiring board members to monitor the ever evolving landscape of cyber best practices where it seems that something new appears almost daily. We start, as Allan Turing did, without a clue.
How Bayes Inference enhances understanding
Reasoning and transparency
Bayes Inference differs from Machine Learning and other forms of Artificial Intelligence in that it incorporates both reasoning and transparency.
Reasoning: We start with a hypothesis and as we gain more knowledge, we update the hypothesis. Think of when you are getting ready to go to work and the weather looks clear and warm. Just before leaving the house, you hear that the updated forecast is calling for rain. You “reason” that, with the new information, you should dress differently and carry an umbrella. You use (unconsciously) probability in assessing the need for a change based upon your experience.
Transparency: Most of us think of AI as a black box – data goes in one side and results come out the other side. Bayes Inference also uses math and formulae, but we can follow the process of how the results were calculated. Also, much like human reasoning, we can see the path back from the result to the beginning.
How we are applying Bayes Inference
Our focus with CyberGov™ is to help organizations organize their information to enable board members the ability to monitor and audit the governance of cybersecurity risk processes vis à vis industry best practices.
CyberGov™ complements ISO/IEC 27032:2012, NIST, and FAIR, the quantitative, operationally oriented tools, by focusing more on the decisions and actions of management. As with the example of reasoning above, CyberGov™ will continue to update itself as it gains more experience and help board members track governance issues in a transparent manner.