cyber resilience framework
Threatonomics

How Cyber Resilience Tolerates Losses Within Limits

by Rob Brown , Sr Director of Cyber Resilience
Published

The Most Hated Question In Security

After taking an informal and unscientific poll, the most hated security question is, “Are we secure?” Only slightly better is, “Are we secure against known threats?” It’s rarely asked the second way. Both are dreaded – particularly in the boardroom.

An altogether better question is, “Are we resilient?” Or said in business terms, “Are we resilient to plausible losses?” That question brings security and finance together. Now united, they must demonstrate that the business is sustainable in the face of losses.

Finance is responsible for dealing with unexpected, yet plausible, financial losses, managed through insurance (risk transfer) and cash reserves (risk acceptance). Security is responsible for reducing the likelihood of plausible losses through risk mitigation. To the detriment of the business, each often works in isolation.

But risk mitigation, transfer, and acceptance should be designed to work together. They are the most collaborative when they have the same objective – keeping risk within tolerance.  This should be security’s and finance’s shared north star– they just don’t often recognize it. Financial leaders and security experts must define what risk tolerance is together for the sake of the business.

Current Vs Target Security Risk

 

The Cyber Resilience North Star

What’s our risk tolerance?” Most security leaders hate this question too. Some might say it’s worse than “Are we secure?” Yet you may be surprised to learn that the business already answers this question (in part) when they buy cyber insurance. What they are buying is a limit. A limit is a key piece of the risk tolerance puzzle. Your CFO wants a limit large enough to keep people’s mitts off their capital reserves – within reason.

  • Risk of Exceeding Insurance Limit $20M: 34% Risk of Exceedance

Whether your CFO frames it this way or not, they are saying, “Any impacts beyond our limit will be handled by our cash reserves – our treasury – and we can only take so much of that.” Currently, this is said in isolation to security.

Most likely, they would prefer to say the following, “Our investments in security and insurance combined with our cash reserves (as a backstop) make us resilient to plausible cyber losses. Our strategy does this without incurring the moral hazards of under-investment nor the excesses of fear, uncertainty, and doubt.”

What the CFO is saying, in a qualitative manner, is that risk is being managed to tolerance.

Framing The Tolerance Question Quantitatively

Are you okay with a 34% chance of losing $20 million or more – over the next three years?” Better still, “Are you okay with a 34% chance of losing $20 million with a 20% chance of losing $100 million or more – over the next three years?

What’s wrong with this last question? There is a problem. A big one. A brave soul will invariably say, “It’s relative…risk is relative!” But what we must be asking is, “Relative to what specifically?

Risk is relative to the cash you have on hand. If your reserves are in the billions, then these losses may not be the first thing you think about when waking up. You may be tolerant of these potential losses. However, many companies would find these losses concerning – particularly given the extent of the tail risk.

Tolerance Is Found Through Scenario Modeling

Here’s a thought-provoking question: As stated, over a three-year period, you face a 34% chance of losing $20 Million and a 20% chance of losing $100 Million or more. What might you be willing to pay each year (over three years) to move that to a 10% chance of losing $20M and a 5% chance of losing $100M or more? Note: you may want to read that twice and look at the first graph above.

This type of question cannot be answered by any form of benchmarking. It can only be answered by running numerous strategic scenarios that consider:

  • The cost of a desired insurance limit
  • The cost (and return on) security controls
  • The magnitude and probability of losses potentially impacting reserves

Those scenarios will reflect your company’s value at risk (exposure) and your company’s financial position as it evolves. You and your CFO (at the very least) need to see the potential impacts of different strategy scenarios as a team. Facing these quantitatively, you will recognize risk and cost trade-offs that must be considered before committing to an integrated risk management strategy. Taken together, all of this informs what your tolerance is and how much you should spend to keep risk within it.

Does building resilient strategies that aim to keep risk within tolerance sound important to you? Learn more by signing up for our community webinars or onsite training. For a collaborative and quantitative risk management engagement with our experts, contact us directly at cyber-risk-quant@resilienceinsurance.com

*Please note: All percentages, risk calculations, and models in this article are for illustrative purposes only.

About the Author
Rob Brown , Sr Director of Cyber Resilience

Robert has over 25 years of experience in strategic planning and advising, working across startups, government agencies, and Fortune 100 companies. One of the masterminds behind our popular cyber risk quantification (CRQ) training series, Rob spent the last 25 years as a decision scientist and strategic consultant assessing value and risk tradeoffs for complex projects in oil and gas, manufacturing, homeland security, pharmaceuticals, asset allocation, and more. He is the author of Business Case Analysis with R - Simulation Tutorials to Support Complex Business Decisions (Springer-Nature, 2018).

You might also like

Why your CFO expects your CISO to measure risk buydown

The CISO walks into the CFO’s office with a carefully prepared pitch. “We need a $500,000 EDR solution,” she says, presenting vendor comparisons and threat intelligence reports. The CFO nods politely and asks one question: “What’s the return on that investment?” The meeting goes sideways from there. The CISO talks about improved threat detection and […]

OpenClaw went viral. So did its security vulnerabilities.

Personal AI agents promise to streamline workflows and automate routine tasks, but a series of recent security incidents has exposed a critical vulnerability in how these tools acquire new capabilities. The findings reveal that threat actors are exploiting the same supply chain tactics that have compromised traditional software ecosystems, while platform security failures are exposing […]

Killing legacy systems might be your smartest financial move 

Every CISO has that one system. Maybe it’s running on Windows Server 2008. Maybe it’s the manufacturing control system that predates your current CEO. Maybe it’s the ancient database that three different business-critical applications depend on, maintained by one person who’s been threatening to retire for five years. You know these systems are problems. Your […]

What your CFO actually cares about (and how to speak their language)

You walk into your CFO’s office with a carefully prepared business case for a critical security investment. The risk assessment is complete, the vulnerabilities are documented, and you’re ready to make your argument. But the moment you mention “attack surface” or “zero-day vulnerabilities,” you can see their attention drift. The issue isn’t that your CFO […]

Risk Briefing: Cyber extortion has fundamentally changed

On January 14, 2026, Resilience launched its inaugural Risk Briefing Series with a clear message for CISOs: the cyber extortion playbook has been rewritten, and organizations relying on traditional defenses are dangerously exposed. In the first session of this monthly intelligence series, Jud Dressler, Director of Resilience’s Risk Operations Center and retired U.S. Air Force […]

The 65% shift that proves ransomware as we know it is dead

The cybersecurity industry has a terminology problem. We’re still calling it “ransomware” when the majority of attacks no longer encrypt and request a ransom for decryption as their primary weapon. Resilience’s analysis of cyber extortion claims in our portfolio throughout 2025 reveals a dramatic acceleration in attack methods. Data theft extortion-only events rose from 49% […]