Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Breaking Lemonade: Understanding Value at Risk

Protect your organization from the most financially damaging threats by understanding what is truly at stake

by Rob Brown , Sr Director of Cyber Resilience
Published

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to understand on their journey from siloed security and insurance to integrated cyber resilience. 

If this concept still feels unclear to you, consider this tale of how a young entrepreneur who owned a lemonade stand understood her value-at-risk through the threat of a neighborhood bully in a story we call “Breaking Lemonade.”

Breaking Lemonade

Olivia is an enterprising young person in the neighborhood who operates a lemonade stand. For an eleven-year-old, she makes a rather healthy income during her summer holiday. She typically sells ~40 cups of lemonade per day in a four hour window at a price of $1 per cup. Recently, she began having problems with a neighborhood bully named Walter. 


Walter was threatening to disrupt her business by preventing her from selling lemonade unless she paid the “tax” of $5 every time he came around to “check on the business.” He had a reputation for similar anti-social behaviors on the other side of the neighborhood. She thought about getting her older brother, Oliver, to bust his shins, but that seemed too barbaric.


“You need bully insurance,” Oliver said.


“Bully insurance? What is that, and how much do I need?”


“It pays you back if you lose money to bullies. The first step is to figure out how much value at risk you face. How do you make money?”


“I sell lemonade by the cup. Since I make about $40/day, six days a week, for two and a half months, that’s $2400 at risk!” Olivia’s eyes revealed sheer panic at the thought of her whole summer business going down the drain.


“Calm down, sis. It’s not likely that Walter would close your entire business for the summer. He has other kids to pester. Girl scouts selling cookies. Kids mowing lawns. Being a bully is a business, too. It takes considerable effort, and he can’t be everywhere at once. And he wants his take, which he won’t get if your stand goes away. So let’s think about what he most likely can do. What’s the almost-worst-case situation you can imagine?”


“Well, even if he poured out my lemonade, smashed my stand, and broke my pitcher, I could get mom to make a new batch of lemonade and have a new stand made out of fruit crates in three hours. Since I make ~$10/hour, that would be $30 plus the cost of a $10 pitcher. And the tax. So, $45.”
“Great! Now, what about the almost-best-case situation? What if your losses were less? How does that play out?”


“Well, I suppose he could come to scare off the little kids that come by, but usually some golfers are around when the kids come by on the 9th hole. The golfers might scare him a little, too. So maybe he can only stop business for half an hour. That would be $5. And, again the tax. $10.”


Oliver smiled. His sister showed all the signs of becoming a world-class lemonade magnate.


“There you have it. Your value at risk is between $10 and $45 per bullying event. Now, let’s think about how often these events might occur. Remember, you’re not Walter’s only target.”


Olivia thought about how often she had actually seen Walter around. It wasn’t as often as his initial threat made it appear. “Maybe three times this summer?”


“So, for this summer, your value at risk is between $30 and $135. I know that seems like a wide range, but you thought through the plausible ways you could lose value from Walter’s shenanigans based on how your business operates and how you could counteract his bullying. That seems like an accurate way to think about it. Let’s go talk to Willy Loman, the kid down the street who runs a neighborhood insurance company. He offers good rates. He sold me prom insurance last year in case I couldn’t get a date.”

Value-at-risk is anything that an organization values, namely cash or its potential equivalents, that it would regret losing. There are innumerable ways to lose cash, but usually only a few show up as materially concerning. Traditionally, cybersecurity practitioners are taught to focus on preventing all incidents whether or not they would lead to immediate loss of cash. Taking this approach is not only functionally impossible, but it also represents a huge, potentially negligent, waste of resources to accomplish.

Instead, we should understand the sources of the most likely, plausible losses and how they could breach our capital reserves–causing material losses—and understand which threats are most likely to cause them.  When we quantify the impact of these plausible losses, we are identifying our organization’s value-at-risk. 

Conceptually, a business facing a ransomware attack or business email compromise is not that much different from a kid operating a lemonade stand that faces disruption and extortion from a local bully. And while the complexity of quantifying the value at risk of an adult-sized company is a little greater, it’s not that much greater than what Olivia and Oliver showed us in their conversation in “Breaking Lemonade.” With some persistence, resourcefulness, and systematic thinking, you can master this concept, too.

To better understand how value at risk is applied in cybersecurity, listen to our in-depth discussion with Jack Jones and Doug Hubbard as they explain how to measure what matters on the new frontier of risk management.

You might also like

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]

Artificial Intelligence for Cyber Resilience

AI tools are shifting the calculus for cyber defense by enhancing key areas such as vulnerability mapping, breach detection, incident response, and penetration testing. This integration could help an organization bolster its cyber resilience against an ever-evolving threat landscape. AI tools could automate the discovery and monitoring of vulnerabilities, providing real-time updates of an organization’s […]

cyber resilience framework

AI and Misuse

Welcome to part two in our series on AI and cyber risk. Be sure to read the first installment “What you need to know: Artificial Intelligence at the Heart of Cyber,” here. Key takeaways Background In February 2024, OpenAI – in collaboration with Microsoft— tracked adversaries from Russia, North Korea, Iran, and China, leveraging their […]

cyber resilience framework

Cybersecurity Incidents & Trends in Canada

Executive Summary Emerging cyber threats increasingly target Canadian organizations, government agencies, and individuals, with recent attacks revealing sophisticated tactics by threat actors. Threat actors delivered the Formbook infostealer to companies via emails that posed as job candidates. Meanwhile, the Chameleon Trojan attacked Canadian financial institutions and a restaurant chain by masquerading as legitimate apps. Cybercriminals […]

Digital Risk: Enterprises Need More Than Cyber Insurance

What you need to know: Artificial Intelligence at the Heart of Cyber

As AI technologies become more embedded in cyber strategies, they enhance the capabilities of threat actors while also offering innovative defenses to organizations [1]. AI tools can amplify adversaries’ traditional Techniques, Tools, and Procedures (TTPs) by automating the generation of sophisticated threats such as polymorphic malware — which can dynamically alter its code to evade […]