When executives are asked what data they are prepared to lose, many respond saying they will not accept the loss of any data. The sentiment is noble, but this is not the right answer. Instead, executives and boards should agree on acceptable levels of cyberrisk across an organization, and begin by setting the risk appetite.