The Anti-virus Times

Named after its inventor, the 18th-century Presbyterian minister Thomas Bayes, Bayes’ theorem is a method for calculating the validity of beliefs (hypotheses, claims, propositions) based on the best available evidence (observations, data, information). Here’s the most dumbed-down description: Initial belief plus new evidence = new and improved belief

Here’s a fuller version: The probability that a belief is true given new evidence equals the probability that the belief is true regardless of that evidence times the probability that the evidence is true given that the belief is true divided by the probability that the evidence is true regardless of whether the belief is true. Got that?

The basic mathematical formula takes this form: P(B|E) = P(B) X P(E|B) / P(E), with P standing for probability, B for belief and E for evidence. P(B) is the probability that B is true, and P(E) is the probability that E is true. P(B|E) means the probability of B if E is true, and P(E|B) is the probability of E if B is true.

https://blogs.scientificamerican.com/cross-check/bayes-s-theorem-what-s-the-big-deal/

Assume that we've checked our system for malware and conclude with 1% probability that the system is clean.

Let’s say we also evaluate the reliability of our anti-virus to be around 99%. Question: if the anti-virus reports that the system is clean, how likely is it to be infected?

Now Bayes’ theorem displays its power. Most people assume the answer is 99%, or close to it. That’s how reliable the scan is, right? But the correct answer, yielded by Bayes’ theorem, is only 50%.

To solve for P(B|E), you plug the data into the right side of Bayes’ equation. P(B), the probability that your system was infected prior to getting scanned, is 1%, or .01. So is P(E), the probability that an infection is detected.

What about the denominator, P(E)? Here is where things get tricky. P(E) is the probability of testing positive whether or not your system is infected. In other words, it includes false positives as well as true positives.

To calculate the probability of a false positive, you multiply the rate of false positives, which is 1%, or .01, times the percentage of systems that haven't been infected, .99. The total comes to .0099. Yes, your terrific, 99%-accurate test yields as many false positives as it does true positives.1

Let’s finish the calculation. To get P(E), add true and false positives for a total of .0198, which when divided into .0099 comes to .5. So once again, P(B|E), the probability that your system is really infected is 50%.

If you go through the test again, you can reduce your uncertainty enormously because the probability of your system being infected, P(B), is now 50% rather than 1%. If the second scan also comes up positive, Bayes’ theorem tells you that the infection probability is now 99%, or .99. As this example shows, iterating Bayes’ theorem can yield extremely precise information.