Vibe Coding a Bayesian Thought Experiment
How to create a Thomas Bayes Risk Forecasting Simulation
I've been in the cybersecurity industry for 30 years and have been a CISO four times. In 2023, I wrote a book about everything I had learned over that time. It’s called "Cybersecurity First Principles: A Reboot of Strategy and Tactics."
In chapter 6, I discuss risk forecasting; a pet peeve of mine because I think the infosec community has been doing it wrong for my entire career. In it, I describe three risk forecasting techniques that all security professionals should embrace: Bayes Algorithm, Fermi Estimates, and Superforecasting. In this essay, I’m focusing on Bayes.
In an original paper published by The Royal Society in 1763, “An Essay towards solving a Problem in the Doctrine of Chances,” Thomas Bayes’ hypothesis, at a high level, is that a risk forecaster can calculate the probability of an event by creating a three-step infinite loop process:
Collect evidence about the event.
Estimate the probability (or adjust the last estimate) based on that evidence.
Repeat.
The idea is that the more times you go through the loop, the more precise and accurate your risk forecast becomes.
Bayes’ Thought Experiment
In the essay, Bayes describes a thought experiment to demonstrate how that works. It involves a billiards table and two people: a guesser (Bayes, with his back turned to the table), and an assistant. Here’s how the experiment unfolds:
The assistant randomly rolls a cue ball onto a table and marks its position. Bayes does not know where the ball landed. He only knows it could be anywhere along the table. He then makes his first guess about where the cue ball is located on the table.
The assistant then rolls additional balls onto the table one at a time.
After each roll,
The assistant reports to Bayes whether the new ball landed to the left or to right of the cue ball, but never reveals the actual position.
Bayes adjusts his prior guess as to where the cue ball is located on the billiards table based on that new information.
The more balls the assistant rolls, the more accurate becomes Bayes’ forecast of where the cue ball actually sits.
I love when scientists use thought experiments to explain their theories. Einstein was famous for it. But I have to admit, I didn’t understand how Bayes’ billiard table example showed that collecting more evidence improves forecasts. I didn’t get how the experiment worked. I couldn’t visualize how knowing if random balls landed to the left or to the right helped Bayes make better forecasts. I decided to build a simulator to see if I could figure it out. I’ve been wanting to try out some vibe coding anyway. This seemed like the perfect opportunity.
By the way, I got the idea from Richard Seiersen when I attended his Cyber Risk Workshop in San Francisco at the RSA Conference this year. He used a billiards table simulation that he wrote to demonstrate the same idea.
Vibe Coding
Vibe coding is where a language model (LLM), like ChatGPT, generates most or all code based on natural language prompts provided by the developer. Andrej Karpathy (co-founder of OpenAI) popularized the term in early 2025. He described it as “fully giving in to the vibes, embracing exponentials, and forgetting that the code even exists”.
My first reaction to it is that the technique is quick and easy for building an initial prototype. It took me about an hour to write the initial prompt that got me something that worked. Then it took me another few hours of tweaking the prompt to get the simulation to a place where I thought anybody could use it and understand what the simulation was doing.
My goal was that I didn’t want a lot of complicated software engineering. I just wanted to run the simulation locally out of my Chrome browser. Here is the prompt:
ChatGPT Prompt for Bayes Billiard Table Simulation
I am a cybersecurity professional. I've been in the industry for 30 years. I've been a CISO four times. I published a book on the subject in 2023 called "Cybersecurity First Principles: A Reboot of Strategy and Tactics." Chapter 6 of the book discusses risk forecasting and heavily relies on three techniques: Bayes Algorithm, Fermi Estimates, and Superforecasting. In the original Bayes paper,
Thomas Bayes (Late Rev Mr. Bayes, Fellow of the Royal Society (F.R.S)), Richard Price (Mr. Price), 31 December, 1763. An Essay towards solving a Problem in the Doctrine of Chances [Letter to John Canton, Artium Magister of the Royal Society A. M. F. R. S] The Royal Society: ISSN0261-0523eISSN2053-9223. URL: https://royalsocietypublishing.org/doi/epdf/10.1098/rstl.1763.0053
Bayes describes a thought experiment to demonstrate how that works. It involves a billiards table and two people: a guesser (Bayes, with his back turned to the table), and an assistant.
Here’s how the experiment unfolds:
The assistant randomly rolls a cue ball onto a table and marks its position. Bayes does not know where the ball landed. He only knows it could be anywhere along the table. He then makes his first guess about where the cue ball is on the table
Then, the assistant rolls additional balls onto the table one at a time.
After each roll,
The assistant reports to Bayes whether the new ball landed to the left or to right of the cue ball, but never reveals the actual position.Bayes adjusts his prior guess as to where the cue ball is based on that information.The more balls the assistant rolls, the more accurate Bayes’ forecast becomes..
Write a single HTML file with embedded JavaScript and CSS
so I can run it locally
by opening it in my Chrome browser.
The main mechanic is a simulation that
shows a billiard table with green felt.
The simulation allows the user to play the part of Bayes, the guesser.
The simulation plays the part of the assistant.
The simulation has three stages.
Stage 1: Roll the initial cue ball.
Stage 2: Allow the user to guess where the cue ball is on the table.
Stage 3: Roll additional balls onto the table.
Stage 2 and Stage 3 repeat until the user decides to start over in Stage 1.
The simulation shows the user three buttons.
Button #1: Called "Roll the cue ball". When the user pushes it (Stage 1), the simulation starts over with a new game. The simulation clears the table, rolls a new cue ball onto the table, and keeps track of where it lands. It does not reveal the location to the user.
Button #2: Called "Reveal." When the user pushes it, the simulation reveals the location of the cue ball on the table. If the user pushes the button again, the simulation hides the location of the cue ball. Button #2 acts as a toggle.
Button #3: Called "Roll Another Ball." When the user pushes it (Stage 3), the simulation rolls another ball onto the table. If the ball lands to the left of the cue ball, that ball is the color red and the simulation tells the user that the ball landed to the left. If the ball lands to the right of the cue ball, that ball is the color blue and the simulation tells Bayes that the ball landed to the right. After each roll, allow the user to make a guess as to where the cue ball is (Stage 2).
There are three visual elements displayed on the screen.
Visual Element #1: The billiard table in the middle of the screen.
Visual Element #2: The buttons on the right side of the screen.
Visual Element #3: A log on the left side of the screen that captures the distance from the cue ball to where the user placed the last forecast. I want to give the user a way to judge if his forecasts are getting closer or farther away from the real answer.
Keep the code simple and commented.
Do not use any external libraries or online resources. Everything should be inside one file.
Provide simple instructions so that the user of the simulation understands how to operate it.
Running the Simulation
Click the button to download the Bayes Billiards Thought Experiment Final HTML code.
Open the file (double click on the file name) and your Chrome browser will display something like this:
The controls are on the right. Click “Roll the cue ball” to start the simulation. You will see an empty billiards table. The simulation doesn’t reveal the location of the cue ball unless you tell it to. You can toggle that by hitting the “Reveal (toggle)” button. Start by toggling the location of the cue ball off.
Next, make your initial forecast. Click anywhere on the table. A Yellow dotted line will appear marking your forecast position.
The forecast log is on the left. Everytime you make a forecast, the simulation tells you how far away you are to the actual location of the cue ball. In my example above, my initial forecast was 172 pixels away from the cue ball; 20% of the billiard table’s width.
Next, push the “Roll another ball” button. If the ball lands to the left of the cue ball, the ball will be red. If it lands to the right, it will be blue.
Click the table to make your next forecast. This is an exercise is splitting the distance. If your first ball is red, then estimate half the distance from the red ball to the edge of the billiards table on the right and make your next forecast.
Push the “Roll another ball” button. If this next ball is blue, then estimate half the distance from the red ball to the blue ball and make another forecast. Check your progress on the log at the left. Are you getting closer?
Keep pushing the “Roll another ball” button. Every red ball that lands to left of that initial red ball is not that useful. It doesn’t get us closer to the cue ball. You don’t have to adjust your forecast. You can, but you don’t have to. But, if it lands to the right of the initial red ball, use that red ball to half the distance on your next forecast. The same is true for all blue balls. Every blue ball that lands to the right of the initial blue ball is not that useful. But, if it lands to the left of the initial blue ball, use that blue ball to half the distance on your next forecast.
Keep rolling balls until you get bored. Make your final forecast. Then, hit the toggle button to see how close you got.
Here is the perfect example:
The forecast is half the distance between the red ball and the blue ball. When I revealed the cue ball, I can see that my forecast was pretty close. Looking at the Forecast Log, I made four predictions. The first was 337 pixels away. The last was five.
Takeaways
I’ve been reading about Bayes’ algorithm for over a decade. In fact, I highly recommend Doctor Sharon Bertsch McGrayne’s 2011 Cybercanon Candidate book “The Theory That Would Not Die: How Bayes’ Rule Cracked the Enigma Code, Hunted Down Russian Submarines, and Emerged Triumphant from Two Centuries of Controversy.” If you want the Reader’s Digest version, McGrayne gave an excellent Google Talk about the book back in 2011 (See References Below).
But the significance of the Bayes thought experiment about the billiards table from his original 1763 paper had always baffled me. I didn’t understand how it worked. Using Vibe Coding, I quickly built a prototype that provided the insight that I needed; that, according to Bayes’ Algorithm, the more evidence you collect, the better your forecasts become. The more balls I rolled onto the billiard table, the better my forecast predicted where the cue ball actually was located.
And that’s why Bayes’ Algorithm is a fundamental technique in calculating material cyber risk for any enterprise. Your team assesses the deployment of the first principle strategies and tactics you’ve chosen to pursue. Your theat team makes an initial risk forecast. This is similar to the assistent rolling the first colored ball in my Vibe Coding simulation. Let’s say that the team estimates that the probability of a material cyber event in the next year is 20%. Now they collect more evidence. Let’s say they deployed a new tool that would improve their zero trust posture. What is their new forecast about the probability of a material cyber event?
You will never get the exact probability with this technique and the two others I mentioned (Fermi Estimates and Superforecasting), but you can get enough ballpark precision and accuracy that your leadership team can use to make a decision. And really, that’s all we need.
Source
Thomas Bayes (Late Rev Mr. Bayes, Fellow of the Royal Society (F.R.S)), Richard Price (Mr. Price), 31 December, 1763. An Essay towards solving a Problem in the Doctrine of Chances [Letter to John Canton, Artium Magister of the Royal Society A. M. F. R. S] The Royal Society: ISSN0261-0523eISSN2053-9223. URL: https://royalsocietypublishing.org/doi/epdf/10.1098/rstl.1763.0053
References
Ali Sundermier, 2016. 5 of Einstein’s thought experiments that changed science [Explainer]. World Economic Forum. URL https://www.weforum.org/stories/2016/08/5-of-einsteins-thought-experiments-that-changed-science/
Philip Tetlock, Dan Gardner, 2015. Superforecasting: The Art and Science of Prediction [Cybercanon Hall of Fame Book]. Goodreads. URL https://www.goodreads.com/book/show/23995360-superforecasting
Richard Seiersen, Robert Brown, 2025. Cyber Risk Workshop, San Francisco [Workshop Announcement]. Qualys / resilience. URL https://www.qualys.com/lp/tp1/cyber-risk-workshop-san-francisco-april-30-2025/
Rick Howard, 2023. 2023 Cybersecurity Canon Hall of Fame inductee: Superforecasting: The Art and Science of Prediction by Dr Phil Tetlock and Dr Dan Gardner. [Interview]. The CyberWire. URL https://thecyberwire.com/podcasts/cso-perspectives-public/5567/notes
Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Amazon. URL https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics-ebook/dp/B0C35HQFC3/ref=sr_1_1
Rick Howard, 2023. Superforecasting: The Art and Science of Prediction [Review]. Cybersecurity Canon Project. URL https://icdt.osu.edu/superforecasting-art-and-science-prediction
Rick Howard, 2025. The Theory That Would Not Die: How Bayes’ Rule Cracked the Enigma Code, Hunted Down Russian Submarines, and Emerged Triumphant from Two Centuries of Controversy [Review]. CyberCanon. URL https://cybercanon.org/the-theory-that-would-not-die-how-bayes-rule-cracked-the-enigma-code-hunted-down-russian-submarines-and-emerged-triumphant-from-two-centuries-of-controversy/
Sharon Bertsch McGrayne, 2011. The Theory That Would Not Die: How Bayes’ Rule Cracked the Enigma Code, Hunted Down Russian Submarines, and Emerged Triumphant from Two Centuries of Controversy [Cybercanon Candidate Book]. Goodreads. URL https://www.goodreads.com/book/show/10672848-the-theory-that-would-not-die
Sharon Bertsch McGrayne, 2011. The Theory That Would Not Die | Sharon Bertsch McGrayne | Talks at Google [WWW Document]. YouTube. URL
Staff, n.d. Vibe Coding Explained: Tools and Guides [Explainer]. Google Cloud. URL https://cloud.google.com/discover/what-is-vibe-coding
Staff, 2021. Fermi Problem Explained [Explainer]. Inch by Inch Stories - YouTube. URL
Thanks for the kind words Todd. Here is the LinkedIn URL: https://www.linkedin.com/pulse/vibe-coding-bayesian-thought-experiment-rick-howard-qte3e/
This was amazingly useful in multiple dimensions - understanding Bayes, getting a look into vibecoding, and seeing it all in action. If/when you post on LinkedIn, remind me and it'll get more love.