This document discusses the differences between risk appetite and resilience in cybersecurity. It argues that calculating cyber risk is more difficult than financial risk because cyber threats are less quantifiable and have potential for greater uncontrolled exposure. It provides several examples of companies that experienced security breaches and vulnerabilities. The document advocates for taking a more operational approach to security rather than just compliance, and rethinking security strategies and behaviors to better protect organizations.