Private sector researchers developed a new formula to supplement traditional ROI analysis in assessing the value of new security controls. Traditionally, institutions have struggled to define the value of not being attacked versus the cost of implementing new controls. Security adversaries, on the other hand, from identity thieves to government-sponsored hackers, can easily identify their own ROI.
The formula measures the ROI to the adversary, pointing the way for targets to decrease the potential return of an attack. The formula also demonstrates why higher education is uniquely at risk; modern universities hold more types of valuable data than any industry, so a successful breach is akin to hitting 10 industries at once. At the same time, vulnerabilities are more distributed, and more opaque, than in any industry; higher education CISOs have immense difficulty in tracking and controlling all campus vulnerabilities.