How Boards Can Set Enforceable Cyber Risk Tolerance Levels

Boards love to say they have low risk tolerance, but are they willing to make the expensive and painful decisions to make it truly happen?