Risk quantification is about as interdisciplinary as a field gets. The concepts come from statistics, decision science, actuarial science, intelligence analysis, behavioral economics, and much more. We are never far from another field’s good idea.

A beneficial side effect of pulling from so many places is that the concepts turn up everywhere. The methods we routinely use show up in many places, including movies about baseball, spies, soap, a trading floor, and The Avengers. I teach risk and run workshops for executives, so I have spent years collecting these scenes and using them to explain ideas that usually need a slide deck and a bit of coffee.

Here are five of my favorites. Each one teaches a concept from the field. I hope you enjoy.

One warning before we start. A few of these clips have adult language or themes some people may find offensive. Watch with discretion.

1. Moneyball: Measure the Right Things,

Moneyball is an absolute masterclass in measuring the right thing, and in how measuring the wrong thing leads to suboptimal results. I love this movie and the book, and I’ve watched and read both multiple times. Moneyball is a great source of inspiration and ideas for anyone who works with data.

Billy Beane is the general manager of the Oakland A’s (I’m still upset about the move btw), and he has a problem. The club needs to replace Jason Giambi, a great hitter who just got poached off the roster. There’s a meeting with the baseball scouts, and they’re talking through who they like. The scouts list off their picks and their reasons:

“Clean-cut, good face.” “Good jaw.” “He passes the eye candy test.” “He’s got an ugly girlfriend. Ugly girlfriend means no confidence.”

In the middle of this, Billy asks the question that matters: “If he’s a good hitter, why doesn’t he hit good?” He’s reading the player’s stats while the scouts describe the sound of the ball coming off the bat. They gloss right over him and go back to their non-measurement evaluations. Beane loses his cool. He asks the room what problem they’re even trying to solve, and the answer comes back: replace three key players in the lineup. They can name the problem. They just can’t solve it with the tools they trust. The A’s were not a well-funded team. They couldn’t scout like the Yankees (money), so they were forced to recruit in a completely different way.

The scouts are using qualitative metrics (”eye candy” and “ugly girlfriend”) and are measuring entirely the wrong thing. The entire movie is about moving an organization from qualitative metrics to quantitative.

I’ve sat at the cybersecurity version of that table more times than I can count. Ours has a heatmap on the wall. We rate a risk high. We call a threat critical. Those are adjectives, not measurements, and we pass them around like they’re data. One team’s high isn’t another team’s high, and nobody can tell you by how much. The fix is the one Beane found. The scouts weren’t only guessing on looks. They also trusted the wrong numbers, batting average and RBIs, when the stat that tracked winning was on-base percentage, undervalued because nobody else paid for it.

The A’s started winning when they started measuring the right thing, quantitatively: a good OBP-to-cost ratio. Our version of that number is how much we stand to lose from an event, and how often.

2. Zero Dark Thirty: Expert Elicitation

Zero Dark Thirty is a great movie, and one scene in it captures something I’ve felt in front of the C-suite many times in my career.

CIA analysts are briefing the director, Leon Panetta, played by James Gandolfini. The question on the table is whether to launch the raid on Osama bin Laden’s compound. Panetta is pushing the room hard. He’s about to go look the President in the eye, and he wants to know where everyone stands. Is he there, or is he not there?

The leadership won’t hand him a clean yes or no. One of the senior people pushes back with a line I think about a lot. We all come at this through the filter of our own past experiences. He brings up Iraq, the WMD intelligence that turned out to be wrong, the case he fronted himself, and reminds the room it looked stronger than this one. What he’s describing is expert judgment, also called subject matter elicitation. We form our beliefs and we update them as new information arrives, and we read that information through everything we’ve seen before. Regular readers will recognize the idea.

Panetta pushes harder. He wants a yes or a no, though he puts it more colorfully. The reply is the whole point of the scene. We don’t deal in certainty, we deal in probability. Then they go around the room and collect numbers: Sixty percent. I concur, sixty. Eighty. A soft sixty. If you read my last issue, this is Sherman Kent’s work playing out on screen, the CIA learning to put probabilities on its forecasts instead of mushy words. It’s expert elicitation, the same thing a good risk workshop does when it gathers several experts’ beliefs about an uncertain question and combines them.

Then they fold in Maya, Jessica Chastain’s character, who has hunted this man for years. Maya says a hundred percent he’s there. She walks it back to ninety-five, because she knows certainty makes the room nervous.

Here’s an interesting part of the scene: Maya’s hundred percent is the line everyone quotes, but it’s the wrong answer. Nobody who has chased a target for years should sit at a hundred percent. The people hedging around her, the soft sixty and the eighty, were the ones doing it right. The movie hands her the hero moment for sounding sure anyway. We’ve all been there, and we all have to resist the temptation to shave off our doubt to appease an impatient executive.

This scene gets a full workup in Superforecasting, the Tetlock and Gardner book on prediction. They walk through the real decision behind it, where the estimates ran from thirty percent to ninety-five, and they land on the same point.

I’ve lived the first half of this scene more times than I’d like to admit. I’ll put a line on a slide: thirty percent chance we lose more than ten million dollars this year. The executive pushes back and tells me to make it a yes or a no. Just tell me if it’s going to happen.

Here’s the lesson. We are always forecasting an uncertain future. When I say thirty percent, I’m not dodging. Thirty percent is the answer. It’s the forecast, it’s a real usable number, and you can build a decision on it. You can then have a long conversation about trade-offs, opportunity cost, and where the next dollar should go. What you can’t do is crush it into a yes or no, because that throws away the most useful thing I carried into the room. Quantifying my uncertainty and saying it out loud is the most valuable thing I walk in with.

3. Fight Club: Expected Value

“On a long enough timeline, the survival rate for everyone drops to zero.”

That’s The Narrator in Fight Club. It’s a more macabre version of Keynes: in the long run, we’re all dead. Both lines are jokes built on the same risk concept. Probability means nothing without a time horizon, and over a long enough one, a small recurring chance becomes a certainty.

In addition to that cool easter egg for quant and econ nerds, did you know there’s an expected value calculation, the same math we use in cyber risk, hiding in plain sight in Fight Club?

The scene: The Narrator on a plane, explaining his job to his seatmate in the flattest voice imaginable. He’s a recall coordinator for a car company. His whole job is one formula: Take the number of cars in the field, multiply by the probable rate of failure, multiply by the average payout when someone sues. If that total is smaller than the cost of a recall, there is no recall.

That’s an expected value calculation, something most of us should recognize. The idea is simple. Take the chance of a bad thing and multiply it by what it costs. The recall coordinator does it for one car, a failure rate times an average settlement, then scales it across the fleet. Out comes a single number: what the problem is worth in dollars.

Swap the labels and you have the basics of cyber risk quantification: how often a breach might hit times what one would cost. Longtime readers know what comes next, because I spend a lot of energy warning people off exactly this. The recall coordinator used one failure rate and one settlement cost and walked away with one number. That is ALE equals ARO times SLE, the single-point estimate version of the ranges we feed into a Monte Carlo sim in modern times.

4. Margin Call: Communicating Quantitative Risk Results

Margin Call is a fantastic movie. It’s one of three films I’d hand anyone who wants to understand the 2008 financial crisis, alongside The Big Short and Too Big to Fail.

This clip will land for anyone who has carried bad risk news into a room full of executives. The firm is just coming to terms with an existential threat. There’s an emergency leadership meeting in the middle of the night, and the CEO, John Tuld, played by Jeremy Irons, asks the young analyst who found the problem to explain it. Peter Sullivan, played by Zachary Quinto, gets the floor. Tuld’s request is the line everyone remembers: speak as you might to a young child, or a golden retriever. It wasn’t brains that got him to the top floor, he says, so keep it simple. I love that line, because the job often is exactly that. Explain something complicated, in plain words, in the few minutes before you lose the room.

What follows is a masterclass in risk communication.

Peter lays it out. What is happening, how they got here, what the firm is exposed to, and what happens if they do nothing. He uses exactly one number, and it’s the only one that matters: if those assets drop just twenty-five percent and stay on the books, the loss is bigger than the entire company is worth. He never walks them through the model. No distributions, no jargon, nothing you’d need a finance degree to follow.

That’s the move, and it is not the same as dumbing it down. Dumbing it down loses the substance. Peter keeps the substance and loses the jargon. He had the number that mattered, and he said it in plain English. That is the whole job. You find the risk, you find why the firm is exposed to it, you make the stakes land, and you say it in language a human can act on.

Then you stop. That’s the start of a conversation, not the end. The risk analyst’s job is to enable a decision, not to make it. This clip shows exactly how it’s done.

5. Avengers: Infinity War: Monte Carlo Sim

Monte Carlo simulation bores people faster than anything else I teach, and the name is the whole problem. The people who built it could not bring themselves to pick a plain label. They were building nuclear weapons at Los Alamos, they needed a code name, and they reached for the Monte Carlo casino in Monaco, where Stanislaw Ulam’s uncle liked to borrow money from the family and gamble it away. So the thing ends up sounding like a card trick. I have had grown professionals tell me to my face that it’s black magic and they don’t trust it. That’s flat earth thinking.

It’s just arithmetic. You write your inputs as ranges, you let a computer roll dice inside those ranges tens of thousands of times, and you look at the spread of what comes out. If you have sat through a statistics class, you already know how to sample. That is all this is. Ulam worked the whole method out trying to figure his odds of winning a hand of solitaire, gave up on the combinatorics, and decided he’d just deal the game a few hundred times and count. That’s the entire idea.

The Hollywood version is in Avengers: Infinity War. Doctor Strange uses the Time Stone to look into the future, comes back shaking, and says he has seen 14,000,605 of them. How many do they win? One. That is a Monte Carlo simulation with a much larger effects budget. A real one samples a giant random chunk of the futures instead of every single one, but the idea holds. Dr. Strange also explains a concept us risk people are very familiar with: a single win out of fourteen million is a tail. It’s the model telling you the good ending is real but it’s very rare.

Here’s how I say it without a Time Stone. You want to understand a data breach next year, both how often one might hit and how bad it could get. So you simulate fifty thousand 2027’s. Each run pulls from the ranges you set, plays the year out, and writes down the damage. Then you line up all fifty thousand results from best to worst, slice them into percentiles, and your typical year and your nightmare year are sitting right next to each other. No magic, but a lot of dice.

What Did I Miss?

I love metaphors, analogies, and stories for explaining complicated concepts. I have been collecting scenes like these for years, and the list runs a lot longer than five. It keeps growing, too, because there’s no shortage of movies to watch. So tell me the scene I missed, the weirder the better. The best ones go in part two.

👉 Before You Go

❤️ If you like my newsletter, please do me a favor and forward it to one person on your team who you think will enjoy it.

📘 The book. From Heatmaps to Histograms is out now, and it hit #1 in Amazon’s Computer Network Security category. You can buy it anywhere books are sold. The ebook is available now from Springer and Barnes & Noble, and the publisher is working on a Kindle edition. 🔗 Amazon · 🔗 Book site

🎤 Where I’ll be. I’m running a workshop at DEF CON’s Noob Village this year: ninety minutes of quantitative risk for absolute beginners, no background required. More details coming soon.

✉️ Contact

Have a question about this, or anything else? Here’s how to reach me:

• Reply to this newsletter if reading via email

• Comment below

• Connect with me on LinkedIn

• Contact form

🌐 Elsewhere

I share shorter thoughts on risk, metrics, and decision-making on LinkedIn.

Book updates, chapter summaries, tools, and downloads are at www.heatmapstohistograms.com

My longer-form essays and older writing live at www.tonym-v.com

Thanks for reading,

Tony