Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Breaking Lemonade: Understanding Value at Risk

Protect your organization from the most financially damaging threats by understanding what is truly at stake

by Rob Brown , Sr Director of Cyber Resilience
Published

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to understand on their journey from siloed security and insurance to integrated cyber resilience. 

If this concept still feels unclear to you, consider this tale of how a young entrepreneur who owned a lemonade stand understood her value-at-risk through the threat of a neighborhood bully in a story we call “Breaking Lemonade.”

Breaking Lemonade

Olivia is an enterprising young person in the neighborhood who operates a lemonade stand. For an eleven-year-old, she makes a rather healthy income during her summer holiday. She typically sells ~40 cups of lemonade per day in a four hour window at a price of $1 per cup. Recently, she began having problems with a neighborhood bully named Walter. 


Walter was threatening to disrupt her business by preventing her from selling lemonade unless she paid the “tax” of $5 every time he came around to “check on the business.” He had a reputation for similar anti-social behaviors on the other side of the neighborhood. She thought about getting her older brother, Oliver, to bust his shins, but that seemed too barbaric.


“You need bully insurance,” Oliver said.


“Bully insurance? What is that, and how much do I need?”


“It pays you back if you lose money to bullies. The first step is to figure out how much value at risk you face. How do you make money?”


“I sell lemonade by the cup. Since I make about $40/day, six days a week, for two and a half months, that’s $2400 at risk!” Olivia’s eyes revealed sheer panic at the thought of her whole summer business going down the drain.


“Calm down, sis. It’s not likely that Walter would close your entire business for the summer. He has other kids to pester. Girl scouts selling cookies. Kids mowing lawns. Being a bully is a business, too. It takes considerable effort, and he can’t be everywhere at once. And he wants his take, which he won’t get if your stand goes away. So let’s think about what he most likely can do. What’s the almost-worst-case situation you can imagine?”


“Well, even if he poured out my lemonade, smashed my stand, and broke my pitcher, I could get mom to make a new batch of lemonade and have a new stand made out of fruit crates in three hours. Since I make ~$10/hour, that would be $30 plus the cost of a $10 pitcher. And the tax. So, $45.”
“Great! Now, what about the almost-best-case situation? What if your losses were less? How does that play out?”


“Well, I suppose he could come to scare off the little kids that come by, but usually some golfers are around when the kids come by on the 9th hole. The golfers might scare him a little, too. So maybe he can only stop business for half an hour. That would be $5. And, again the tax. $10.”


Oliver smiled. His sister showed all the signs of becoming a world-class lemonade magnate.


“There you have it. Your value at risk is between $10 and $45 per bullying event. Now, let’s think about how often these events might occur. Remember, you’re not Walter’s only target.”


Olivia thought about how often she had actually seen Walter around. It wasn’t as often as his initial threat made it appear. “Maybe three times this summer?”


“So, for this summer, your value at risk is between $30 and $135. I know that seems like a wide range, but you thought through the plausible ways you could lose value from Walter’s shenanigans based on how your business operates and how you could counteract his bullying. That seems like an accurate way to think about it. Let’s go talk to Willy Loman, the kid down the street who runs a neighborhood insurance company. He offers good rates. He sold me prom insurance last year in case I couldn’t get a date.”

Value-at-risk is anything that an organization values, namely cash or its potential equivalents, that it would regret losing. There are innumerable ways to lose cash, but usually only a few show up as materially concerning. Traditionally, cybersecurity practitioners are taught to focus on preventing all incidents whether or not they would lead to immediate loss of cash. Taking this approach is not only functionally impossible, but it also represents a huge, potentially negligent, waste of resources to accomplish.

Instead, we should understand the sources of the most likely, plausible losses and how they could breach our capital reserves–causing material losses—and understand which threats are most likely to cause them.  When we quantify the impact of these plausible losses, we are identifying our organization’s value-at-risk. 

Conceptually, a business facing a ransomware attack or business email compromise is not that much different from a kid operating a lemonade stand that faces disruption and extortion from a local bully. And while the complexity of quantifying the value at risk of an adult-sized company is a little greater, it’s not that much greater than what Olivia and Oliver showed us in their conversation in “Breaking Lemonade.” With some persistence, resourcefulness, and systematic thinking, you can master this concept, too.

To better understand how value at risk is applied in cybersecurity, listen to our in-depth discussion with Jack Jones and Doug Hubbard as they explain how to measure what matters on the new frontier of risk management.

About the Author
Rob Brown , Sr Director of Cyber Resilience

Robert has over 25 years of experience in strategic planning and advising, working across startups, government agencies, and Fortune 100 companies. One of the masterminds behind our popular cyber risk quantification (CRQ) training series, Rob spent the last 25 years as a decision scientist and strategic consultant assessing value and risk tradeoffs for complex projects in oil and gas, manufacturing, homeland security, pharmaceuticals, asset allocation, and more. He is the author of Business Case Analysis with R - Simulation Tutorials to Support Complex Business Decisions (Springer-Nature, 2018).

You might also like

Why your CFO expects your CISO to measure risk buydown

The CISO walks into the CFO’s office with a carefully prepared pitch. “We need a $500,000 EDR solution,” she says, presenting vendor comparisons and threat intelligence reports. The CFO nods politely and asks one question: “What’s the return on that investment?” The meeting goes sideways from there. The CISO talks about improved threat detection and […]

OpenClaw went viral. So did its security vulnerabilities.

Personal AI agents promise to streamline workflows and automate routine tasks, but a series of recent security incidents has exposed a critical vulnerability in how these tools acquire new capabilities. The findings reveal that threat actors are exploiting the same supply chain tactics that have compromised traditional software ecosystems, while platform security failures are exposing […]

Killing legacy systems might be your smartest financial move 

Every CISO has that one system. Maybe it’s running on Windows Server 2008. Maybe it’s the manufacturing control system that predates your current CEO. Maybe it’s the ancient database that three different business-critical applications depend on, maintained by one person who’s been threatening to retire for five years. You know these systems are problems. Your […]

What your CFO actually cares about (and how to speak their language)

You walk into your CFO’s office with a carefully prepared business case for a critical security investment. The risk assessment is complete, the vulnerabilities are documented, and you’re ready to make your argument. But the moment you mention “attack surface” or “zero-day vulnerabilities,” you can see their attention drift. The issue isn’t that your CFO […]

Risk Briefing: Cyber extortion has fundamentally changed

On January 14, 2026, Resilience launched its inaugural Risk Briefing Series with a clear message for CISOs: the cyber extortion playbook has been rewritten, and organizations relying on traditional defenses are dangerously exposed. In the first session of this monthly intelligence series, Jud Dressler, Director of Resilience’s Risk Operations Center and retired U.S. Air Force […]

The 65% shift that proves ransomware as we know it is dead

The cybersecurity industry has a terminology problem. We’re still calling it “ransomware” when the majority of attacks no longer encrypt and request a ransom for decryption as their primary weapon. Resilience’s analysis of cyber extortion claims in our portfolio throughout 2025 reveals a dramatic acceleration in attack methods. Data theft extortion-only events rose from 49% […]