I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to understand on their journey from siloed security and insurance to integrated cyber resilience.
If this concept still feels unclear to you, consider this tale of how a young entrepreneur who owned a lemonade stand understood her value-at-risk through the threat of a neighborhood bully in a story we call “Breaking Lemonade.”
Breaking Lemonade
Olivia is an enterprising young person in the neighborhood who operates a lemonade stand. For an eleven-year-old, she makes a rather healthy income during her summer holiday. She typically sells ~40 cups of lemonade per day in a four hour window at a price of $1 per cup. Recently, she began having problems with a neighborhood bully named Walter.
Walter was threatening to disrupt her business by preventing her from selling lemonade unless she paid the “tax” of $5 every time he came around to “check on the business.” He had a reputation for similar anti-social behaviors on the other side of the neighborhood. She thought about getting her older brother, Oliver, to bust his shins, but that seemed too barbaric.
“You need bully insurance,” Oliver said.
“Bully insurance? What is that, and how much do I need?”
“It pays you back if you lose money to bullies. The first step is to figure out how much value at risk you face. How do you make money?”
“I sell lemonade by the cup. Since I make about $40/day, six days a week, for two and a half months, that’s $2400 at risk!” Olivia’s eyes revealed sheer panic at the thought of her whole summer business going down the drain.
“Calm down, sis. It’s not likely that Walter would close your entire business for the summer. He has other kids to pester. Girl scouts selling cookies. Kids mowing lawns. Being a bully is a business, too. It takes considerable effort, and he can’t be everywhere at once. And he wants his take, which he won’t get if your stand goes away. So let’s think about what he most likely can do. What’s the almost-worst-case situation you can imagine?”
“Well, even if he poured out my lemonade, smashed my stand, and broke my pitcher, I could get mom to make a new batch of lemonade and have a new stand made out of fruit crates in three hours. Since I make ~$10/hour, that would be $30 plus the cost of a $10 pitcher. And the tax. So, $45.”
“Great! Now, what about the almost-best-case situation? What if your losses were less? How does that play out?”
“Well, I suppose he could come to scare off the little kids that come by, but usually some golfers are around when the kids come by on the 9th hole. The golfers might scare him a little, too. So maybe he can only stop business for half an hour. That would be $5. And, again the tax. $10.”
Oliver smiled. His sister showed all the signs of becoming a world-class lemonade magnate.
“There you have it. Your value at risk is between $10 and $45 per bullying event. Now, let’s think about how often these events might occur. Remember, you’re not Walter’s only target.”
Olivia thought about how often she had actually seen Walter around. It wasn’t as often as his initial threat made it appear. “Maybe three times this summer?”
“So, for this summer, your value at risk is between $30 and $135. I know that seems like a wide range, but you thought through the plausible ways you could lose value from Walter’s shenanigans based on how your business operates and how you could counteract his bullying. That seems like an accurate way to think about it. Let’s go talk to Willy Loman, the kid down the street who runs a neighborhood insurance company. He offers good rates. He sold me prom insurance last year in case I couldn’t get a date.”
Value-at-risk is anything that an organization values, namely cash or its potential equivalents, that it would regret losing. There are innumerable ways to lose cash, but usually only a few show up as materially concerning. Traditionally, cybersecurity practitioners are taught to focus on preventing all incidents whether or not they would lead to immediate loss of cash. Taking this approach is not only functionally impossible, but it also represents a huge, potentially negligent, waste of resources to accomplish.
Instead, we should understand the sources of the most likely, plausible losses and how they could breach our capital reserves–causing material losses—and understand which threats are most likely to cause them. When we quantify the impact of these plausible losses, we are identifying our organization’s value-at-risk.
Conceptually, a business facing a ransomware attack or business email compromise is not that much different from a kid operating a lemonade stand that faces disruption and extortion from a local bully. And while the complexity of quantifying the value at risk of an adult-sized company is a little greater, it’s not that much greater than what Olivia and Oliver showed us in their conversation in “Breaking Lemonade.” With some persistence, resourcefulness, and systematic thinking, you can master this concept, too.
To better understand how value at risk is applied in cybersecurity, listen to our in-depth discussion with Jack Jones and Doug Hubbard as they explain how to measure what matters on the new frontier of risk management.
