Maersk's shipping business ground to a halt while new laptops were purchased and manual workarounds were quickly established for formerly automated business processes. Some definitions of risk characterize risk events as having a possible positive impact as well as negative. However, operational risk presents a fundamentally different continuum. Controls are one method to treat risk, but enterprise risk management will often consider others. Other options for risk treatment are transfer, avoidance, and acceptance. Because a risk appetite statement is management's qualitative view of risk and is based on business mission and core values, it may not be obvious how it maps to cybersecurity at a category level. While risk appetite is a qualitative statement that is measurable only in nominal and ordinal values, the risk tolerance measures a range of values on a scale that is numeric. All cybersecurity risk tolerance metrics should provide some information relevant to evaluating cybersecurity risk.