December 15, 2023
Cyber Risk

In Football and Cybersecurity, Data Analytics Drive Game-Changing Plays

What we can learn from the top team coaches about quantitative risk analysis

How Data Analytics Are Driving Game-Changing Plays in Football and Cybersecurity

What can CISOs learn from Bill Belichick, legendary coach of the New England Patriots? In the fast-paced and high-stakes world of US professional football, split-second decisions can make all the difference between victory and defeat. In the past, many of these decisions were made based on gut feelings, tradition, or even superstition. However, the advent of football analytics has ushered in a new era of data-driven decision-making that has proven to be a game-changer on the field.

The Power of Decision Support

One of the most striking examples of data-driven in-game decision-making can be seen in the use of advanced statistics and models to inform crucial choices during a football game. Gone are the days when coaches relied solely on intuition to decide whether to go for it on fourth down, attempt a two-point conversion, or kick a field goal.

Instead, decision support tools and models now provide coaches with valuable insights into the probability of success for each option. For instance, a coach can consult a decision support system that calculates the expected points added (EPA) for different choices based on historical data. This means that decisions are not made in isolation but are instead backed by empirical evidence.

For instance, a study published in the "Journal of Sports Analytics" titled "Optimal Play Calling in American Football" by Romer and Romer (2020) highlights the impact of data-driven play-calling on game outcomes. The study found that teams that embraced data-driven decision-making when choosing offensive plays had a significantly higher chance of winning.

Data-driven Success Stories: The New England Patriots and the Kansas City Chiefs

Two prominent examples of NFL teams that have reaped the rewards of data-driven decision-making are the New England Patriots and the Kansas City Chiefs.

The New England Patriots, led by coach Bill Belichick, have consistently demonstrated their commitment to using data to gain a competitive edge. Belichick's meticulous game planning and strategic decisions have been informed by extensive film study and analytics. This approach has led to multiple Super Bowl victories and a sustained period of success that has made the Patriots a dynasty in the NFL.

On the other side, the Kansas City Chiefs, led by head coach Andy Reid, have embraced innovative data-driven strategies. They have employed analytics to optimize player performance, make informed play-calling decisions, and enhance overall team efficiency. Their success culminated in a Super Bowl victory in 2020, showcasing the effectiveness of data analytics in modern football.

Cyber Risk Quantification for “Fourth Down” Decisions in Cybersecurity

Just as data-driven decision-making has transformed the landscape of football, a similar revolution is underway in the business world, specifically in the realm of cyber risk quantification. In the past, many organizations relied on intuition and rough estimates to assess their cyber risks, much like the gut feelings of football coaches before the advent of analytics.

However, with the emergence of cyber risk quantification tools and methodologies, businesses can now make more fact-based and informed decisions regarding their cybersecurity strategies. These tools provide decision support by analyzing historical data, current vulnerabilities, threat intelligence, and potential impact to calculate the probability of cyber incidents and their financial implications.

Much like how football coaches consult decision support systems for play-calling, business leaders can now turn to cyber risk quantification models to understand the likelihood and severity of cyberattacks. This empowers organizations to allocate resources effectively, prioritize security measures, and make strategic decisions based on data-driven insights.

The success stories of football teams like the Patriots and the Chiefs highlight the tangible benefits of embracing data and analytics. Similarly, businesses that adopt cyber risk quantification methodologies are better equipped to protect their digital assets, minimize financial losses, and maintain a competitive edge in an increasingly digital world.

Let’s see how this plays out in both high-stakes games:

Football Scenario:

Coach's Decision: Seizing Opportunity on Fourth Down

Imagine a high-stakes football game with only minutes left on the clock and the score tied. The coach knows that the next play could determine the outcome, and they need the best information available to make the right call. Here's how the coach and team leveraged data and cost-benefit analysis:

Data Collection:

The coaching staff collects a wealth of data, including historical success rates in similar situations, the opponent's defensive statistics in short-yardage scenarios, field position, time remaining, and the team's remaining timeouts.

Data Analysis:

Using advanced analytics tools, the coaching staff conducts an in-depth analysis of the available data. They calculate the probability of successfully converting the fourth down based on historical trends, and they estimate the potential gains and losses associated with different decisions.

Cost-Benefit Analysis:

The coaching staff considers the cost and benefit of each option. They weigh the potential reward of a successful fourth-down conversion against the risk of failure, which could give the opponent excellent field position. They also factor in the remaining time and timeouts to assess the potential game-winning scenarios.

Based on this thorough data analysis and cost-benefit assessment, the coach decides to go for it on fourth down. The data-driven approach suggests that the potential benefits of converting the fourth down outweigh the risks, aligning with the team's strategy to maximize their chances of victory.

Cybersecurity Scenario:

CISO's Decision: Safeguarding Crown Jewel Assets from Data Exfiltration

In the cybersecurity realm, the CISO faces a critical decision regarding the protection of crown jewel assets from potential data exfiltration. The CISO and the security team leverage the best available information and conduct a cost-benefit analysis, including FAIR-based analysis, to guide their decision:

Data Collection:

The cybersecurity team diligently gathers relevant data, including the valuation of crown jewel assets, the latest threat intelligence indicating advanced threats, vulnerability assessment results, historical incident data, and regulatory compliance requirements.

Data Analysis:

Armed with a comprehensive dataset, the cybersecurity team employs FAIR analysis alongside security frameworks. They assess the likelihood of a data breach involving crown jewel assets, considering the tactics of advanced threat actors and potential attack vectors.

Cost-Benefit Analysis:

The CISO and team perform a cost-benefit analysis to evaluate the potential impact of a data breach against the costs associated with implementing enhanced security measures. They weigh the financial, reputational, and regulatory consequences of a breach against the investments required for improved security.

Taking a cue from their data-driven and FAIR-based analysis, the CISO and the security team decide to proactively strengthen defenses around crown jewel assets. They allocate resources for advanced threat detection, implement security patches and updates, and enhance employee training and awareness programs. The cost-benefit analysis supports their decision to minimize the risk of data exfiltration, protecting the organization's most valuable assets and ensuring regulatory compliance.


In-game decision-making in football and the evolution of cyber risk quantification in business both share a common thread—the shift from gut feelings and intuition to data-driven, fact-based decisions. The success stories in football underscore the transformative power of data analytics, while the adoption of cyber risk quantification signifies a new era of cybersecurity strategy in the corporate world. Just as data has become integral to winning on the football field, it is now essential for companies to leverage data and risk modeling for making informed decisions and effectively managing cyber risks. So, whether you're a coach on the gridiron or a CISO presenting to the board, embracing data is the key to success in your respective field.