Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Breaking Lemonade: Understanding Value at Risk

Protect your organization from the most financially damaging threats by understanding what is truly at stake

by Rob Brown , Sr Director of Cyber Resilience
Published

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to understand on their journey from siloed security and insurance to integrated cyber resilience. 

If this concept still feels unclear to you, consider this tale of how a young entrepreneur who owned a lemonade stand understood her value-at-risk through the threat of a neighborhood bully in a story we call “Breaking Lemonade.”

Breaking Lemonade

Olivia is an enterprising young person in the neighborhood who operates a lemonade stand. For an eleven-year-old, she makes a rather healthy income during her summer holiday. She typically sells ~40 cups of lemonade per day in a four hour window at a price of $1 per cup. Recently, she began having problems with a neighborhood bully named Walter. 


Walter was threatening to disrupt her business by preventing her from selling lemonade unless she paid the “tax” of $5 every time he came around to “check on the business.” He had a reputation for similar anti-social behaviors on the other side of the neighborhood. She thought about getting her older brother, Oliver, to bust his shins, but that seemed too barbaric.


“You need bully insurance,” Oliver said.


“Bully insurance? What is that, and how much do I need?”


“It pays you back if you lose money to bullies. The first step is to figure out how much value at risk you face. How do you make money?”


“I sell lemonade by the cup. Since I make about $40/day, six days a week, for two and a half months, that’s $2400 at risk!” Olivia’s eyes revealed sheer panic at the thought of her whole summer business going down the drain.


“Calm down, sis. It’s not likely that Walter would close your entire business for the summer. He has other kids to pester. Girl scouts selling cookies. Kids mowing lawns. Being a bully is a business, too. It takes considerable effort, and he can’t be everywhere at once. And he wants his take, which he won’t get if your stand goes away. So let’s think about what he most likely can do. What’s the almost-worst-case situation you can imagine?”


“Well, even if he poured out my lemonade, smashed my stand, and broke my pitcher, I could get mom to make a new batch of lemonade and have a new stand made out of fruit crates in three hours. Since I make ~$10/hour, that would be $30 plus the cost of a $10 pitcher. And the tax. So, $45.”
“Great! Now, what about the almost-best-case situation? What if your losses were less? How does that play out?”


“Well, I suppose he could come to scare off the little kids that come by, but usually some golfers are around when the kids come by on the 9th hole. The golfers might scare him a little, too. So maybe he can only stop business for half an hour. That would be $5. And, again the tax. $10.”


Oliver smiled. His sister showed all the signs of becoming a world-class lemonade magnate.


“There you have it. Your value at risk is between $10 and $45 per bullying event. Now, let’s think about how often these events might occur. Remember, you’re not Walter’s only target.”


Olivia thought about how often she had actually seen Walter around. It wasn’t as often as his initial threat made it appear. “Maybe three times this summer?”


“So, for this summer, your value at risk is between $30 and $135. I know that seems like a wide range, but you thought through the plausible ways you could lose value from Walter’s shenanigans based on how your business operates and how you could counteract his bullying. That seems like an accurate way to think about it. Let’s go talk to Willy Loman, the kid down the street who runs a neighborhood insurance company. He offers good rates. He sold me prom insurance last year in case I couldn’t get a date.”

Value-at-risk is anything that an organization values, namely cash or its potential equivalents, that it would regret losing. There are innumerable ways to lose cash, but usually only a few show up as materially concerning. Traditionally, cybersecurity practitioners are taught to focus on preventing all incidents whether or not they would lead to immediate loss of cash. Taking this approach is not only functionally impossible, but it also represents a huge, potentially negligent, waste of resources to accomplish.

Instead, we should understand the sources of the most likely, plausible losses and how they could breach our capital reserves–causing material losses—and understand which threats are most likely to cause them.  When we quantify the impact of these plausible losses, we are identifying our organization’s value-at-risk. 

Conceptually, a business facing a ransomware attack or business email compromise is not that much different from a kid operating a lemonade stand that faces disruption and extortion from a local bully. And while the complexity of quantifying the value at risk of an adult-sized company is a little greater, it’s not that much greater than what Olivia and Oliver showed us in their conversation in “Breaking Lemonade.” With some persistence, resourcefulness, and systematic thinking, you can master this concept, too.

To better understand how value at risk is applied in cybersecurity, listen to our in-depth discussion with Jack Jones and Doug Hubbard as they explain how to measure what matters on the new frontier of risk management.

You might also like

Understanding identity-based attacks and how to defend against them

Breaches used to be primarily carried out via software vulnerabilities: Companies would announce a flaw, take a while to fix it, and attackers would find their way into the system using those exploits. From there they might not only steal information and assets from their primary target, but would also use their access to jump […]

Get ready for threats both old and new in 2025

It’s prediction season and while no one can see into the future, we can definitely take some educated guesses. From increasingly severe ransomware attacks to deepfakes that deceive Fortune 500 companies, we’re keeping an eye out for some major events in 2025. And while many organizations are taking steps to beef up their defenses, the […]

Contrasting and comparing FAIR with the Resilience solution

As market awareness of cyber risk quantification grows, we frequently receive questions from clients and curious risk managers about FAIR (Factor Analysis of Information Risk)—what it is, whether it truly provides accurate cyber risk quantification, the effort needed to set it up and maintain, and more. Clients often ask us to compare the FAIR methodology […]

How does Resilience establish the probabilities presented in my LEC?

Managing risk successfully at any level requires an understanding of a concept called “probability.” As both an insurance company (risk transfer) and a cyber risk management company, Resilience relies on understanding probabilities to price our services and to guide our clients to greater levels of cyber resilience. As we often receive questions from our clients […]

Moving beyond heat maps for better risk management

Heat maps are among the most widely used—and debated—tools for risk managers worldwide to communicate risks in their registries or project portfolios. Despite their popularity, we advise leaders seeking transparency in discussing risk and value to avoid relying on them. What are heat maps? Risk managers often use heat maps (or risk matrices) to represent […]

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]