Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Breaking Lemonade: Understanding Value at Risk

Protect your organization from the most financially damaging threats by understanding what is truly at stake

by Rob Brown , Sr Director of Cyber Resilience
Published

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to understand on their journey from siloed security and insurance to integrated cyber resilience. 

If this concept still feels unclear to you, consider this tale of how a young entrepreneur who owned a lemonade stand understood her value-at-risk through the threat of a neighborhood bully in a story we call “Breaking Lemonade.”

Breaking Lemonade

Olivia is an enterprising young person in the neighborhood who operates a lemonade stand. For an eleven-year-old, she makes a rather healthy income during her summer holiday. She typically sells ~40 cups of lemonade per day in a four hour window at a price of $1 per cup. Recently, she began having problems with a neighborhood bully named Walter. 


Walter was threatening to disrupt her business by preventing her from selling lemonade unless she paid the “tax” of $5 every time he came around to “check on the business.” He had a reputation for similar anti-social behaviors on the other side of the neighborhood. She thought about getting her older brother, Oliver, to bust his shins, but that seemed too barbaric.


“You need bully insurance,” Oliver said.


“Bully insurance? What is that, and how much do I need?”


“It pays you back if you lose money to bullies. The first step is to figure out how much value at risk you face. How do you make money?”


“I sell lemonade by the cup. Since I make about $40/day, six days a week, for two and a half months, that’s $2400 at risk!” Olivia’s eyes revealed sheer panic at the thought of her whole summer business going down the drain.


“Calm down, sis. It’s not likely that Walter would close your entire business for the summer. He has other kids to pester. Girl scouts selling cookies. Kids mowing lawns. Being a bully is a business, too. It takes considerable effort, and he can’t be everywhere at once. And he wants his take, which he won’t get if your stand goes away. So let’s think about what he most likely can do. What’s the almost-worst-case situation you can imagine?”


“Well, even if he poured out my lemonade, smashed my stand, and broke my pitcher, I could get mom to make a new batch of lemonade and have a new stand made out of fruit crates in three hours. Since I make ~$10/hour, that would be $30 plus the cost of a $10 pitcher. And the tax. So, $45.”
“Great! Now, what about the almost-best-case situation? What if your losses were less? How does that play out?”


“Well, I suppose he could come to scare off the little kids that come by, but usually some golfers are around when the kids come by on the 9th hole. The golfers might scare him a little, too. So maybe he can only stop business for half an hour. That would be $5. And, again the tax. $10.”


Oliver smiled. His sister showed all the signs of becoming a world-class lemonade magnate.


“There you have it. Your value at risk is between $10 and $45 per bullying event. Now, let’s think about how often these events might occur. Remember, you’re not Walter’s only target.”


Olivia thought about how often she had actually seen Walter around. It wasn’t as often as his initial threat made it appear. “Maybe three times this summer?”


“So, for this summer, your value at risk is between $30 and $135. I know that seems like a wide range, but you thought through the plausible ways you could lose value from Walter’s shenanigans based on how your business operates and how you could counteract his bullying. That seems like an accurate way to think about it. Let’s go talk to Willy Loman, the kid down the street who runs a neighborhood insurance company. He offers good rates. He sold me prom insurance last year in case I couldn’t get a date.”

Value-at-risk is anything that an organization values, namely cash or its potential equivalents, that it would regret losing. There are innumerable ways to lose cash, but usually only a few show up as materially concerning. Traditionally, cybersecurity practitioners are taught to focus on preventing all incidents whether or not they would lead to immediate loss of cash. Taking this approach is not only functionally impossible, but it also represents a huge, potentially negligent, waste of resources to accomplish.

Instead, we should understand the sources of the most likely, plausible losses and how they could breach our capital reserves–causing material losses—and understand which threats are most likely to cause them.  When we quantify the impact of these plausible losses, we are identifying our organization’s value-at-risk. 

Conceptually, a business facing a ransomware attack or business email compromise is not that much different from a kid operating a lemonade stand that faces disruption and extortion from a local bully. And while the complexity of quantifying the value at risk of an adult-sized company is a little greater, it’s not that much greater than what Olivia and Oliver showed us in their conversation in “Breaking Lemonade.” With some persistence, resourcefulness, and systematic thinking, you can master this concept, too.

To better understand how value at risk is applied in cybersecurity, listen to our in-depth discussion with Jack Jones and Doug Hubbard as they explain how to measure what matters on the new frontier of risk management.

About the Author
Rob Brown , Sr Director of Cyber Resilience

Robert has over 25 years of experience in strategic planning and advising, working across startups, government agencies, and Fortune 100 companies. One of the masterminds behind our popular cyber risk quantification (CRQ) training series, Rob spent the last 25 years as a decision scientist and strategic consultant assessing value and risk tradeoffs for complex projects in oil and gas, manufacturing, homeland security, pharmaceuticals, asset allocation, and more. He is the author of Business Case Analysis with R - Simulation Tutorials to Support Complex Business Decisions (Springer-Nature, 2018).

You might also like

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

What the Collins Aerospace outage reveals about vendor risk

On September 19, 2025, chaos erupted at airports across Europe—but not because of weather, strikes, or mechanical failures. Collins Aerospace’s MUSE platform, the digital backbone handling passenger check-in and baggage processing from Heathrow to Dublin, went dark after a ransomware attack. Within hours, major airports including Brussels, Berlin, and Dublin were forced to revert to […]

Does Resilience use your company data to train AI?

In an era where “AI training” has become synonymous with data collection, we get this question a lot: “Does Resilience use our company data to train AI models like ChatGPT?” The short answer? No. But the full answer reveals something more interesting about how we approach cyber risk modeling and why we chose a different […]

New insights on the evolving threat landscape, from our 2025 Midyear Cyber Risk Report 

The cybersecurity world is experiencing an unexpected paradox in 2025. While cyber insurance claims in the Resilience portfolio dropped by 53% in the first half of the year—suggesting that organizations are getting better at preventing attacks—the financial damage from successful incidents has actually increased. Our latest 2025 Midyear Cyber Risk Report reveals that when cybercriminals […]

The seven places you should be looking when building your vendor list

In our first post, we established why comprehensive vendor discovery matters and how most organizations approach it incorrectly. Today, we’re diving into the practical mechanics: the seven data streams that can reveal vendor relationships hiding in your existing systems. The key insight is to start with data you already have rather than surveys or questionnaires. […]

How to get people to care about security when they don’t report to you

Getting executive sign-off on a new control? Hard. Getting peer buy-in on security initiatives when they don’t report to you? Harder. In modern organizations, cybersecurity professionals often find themselves in the ultimate matrix of organizational challenges: you need buy-in from every department within the organization – operations, sales, HR, and finance – but none of […]