Deterministic analysis is generally restricted to events that occur frequently. This is because of the amount of data that must be collected ahead of the event, as well as the overheads incurred in processing to pinpoint the cause. If you think about doing a science experiment, there are more things that happen around the experiment than are directly caused by it. You have to know what to look for in order to make good judgments on cause and effect. The same is true for cybersecurity incidents. The artifacts created by a security incident must be seen a few times before it can be definitively stated that evidence X proves incident Y.

Probabilistic analysis can be applied to a much wider range of activities, including activities that have never been seen before (but that are theoretically possible). As probabilistic analysis improves, particularly if similar incidents occur repeatedly, a larger body of evidence can be created. Policies can evolve to look for other expected features, which might then enable deterministic analysis for this type of incident in the future.