All Insights
6 min read

The MFA ROI Problem: Quantifying Identity Risk Across 35 Agencies That Don't Agree on Anything

Florida's CISO breaks down how to use FAIR's TEF and Vulnerability components to build a defensible ROI case for accelerating MFA rollout.

identity securityrisk quantificationFAIR framework
JW

Jason Walker

State CISO, Florida

Picture this: two agencies, same state network, same compliance checklist, same annual security awareness training completion rate. One has federated identity with MFA enforced across every cloud tenant. The other is running legacy authentication with shared service accounts and a password policy that hasn't been updated since 2019. On paper, they look identical. In a breach, they are not even in the same universe.

That gap is the problem most state CISOs are not solving well, and the reason is simple: we keep treating identity maturity as a compliance question instead of a risk quantification problem.

What Most People Get Wrong

The conversation in state government usually goes one of two ways. Either leadership asks "are we compliant?" and the answer is a percentage score on some control framework, or someone proposes an MFA rollout and the budget office asks for ROI and nobody has a real answer.

Both conversations miss the point.

Compliance scores tell you whether a control exists. They do not tell you how much risk you carry because 12 of your 35 agencies still authenticate to cloud resources with usernames and passwords alone. ROI conversations stall because security teams default to vague statements about breach costs instead of showing the math.

The result: MFA rollout gets prioritized by whoever screams loudest, not by where the actual exposure is highest.

The FAIR Framework Changes the Conversation

FAIR, the Factor Analysis of Information Risk model, gives you a structured way to decompose risk into components you can actually measure. Two components are especially useful for this identity maturity problem: Threat Event Frequency (TEF) and Vulnerability.

TEF asks: how often is a threat actor likely to target this asset in a given time period? Vulnerability asks: given contact, what is the probability that the threat action succeeds?

Here is where this gets practical for a state environment.

TEF is not uniform across agencies. A Department of Revenue cloud tenant handling tax records gets probed differently than a Fish and Wildlife licensing portal. You can estimate TEF using a combination of your CSOC telemetry, threat intelligence feeds, and sector-specific data from MS-ISAC and CISA. Across our environment, we see measurable differences in credential attack frequency correlated directly to the data sensitivity and public profile of the agency. Some tenants absorb thousands of credential stuffing attempts per month. Others see a fraction of that.

Vulnerability is where identity maturity does its work. An agency running federated identity with phishing-resistant MFA enforced at the cloud tenant level has a dramatically lower probability that any given credential attack succeeds. An agency on legacy auth with no MFA and a known password reuse problem across employee accounts is carrying a vulnerability score that should make any CISO lose sleep.

When you plug realistic TEF and Vulnerability estimates into a FAIR analysis, you stop arguing about percentages and start talking about annualized loss exposure. That is a number a budget office can work with.

What the Numbers Actually Look Like

Across the 202,000-plus devices and 35 agencies in Florida's enterprise environment, the identity maturity gap is not theoretical. We have agencies with mature cloud identity postures and we have agencies still mid-migration from on-premises systems with technical debt that predates modern cloud adoption.

When I run a simplified FAIR analysis on the delta between a fully federated agency tenant and a legacy-auth tenant with comparable data sensitivity and public exposure, the difference in annualized loss exposure is not incremental. It is an order of magnitude. The TEF might be similar. The Vulnerability component is where the gap opens up.

A credential-based attack against an unfederated tenant with no MFA succeeds at a rate that CSOC telemetry consistently validates. The same attack against a tenant with SAML federation and MFA enforced hits a wall. The attacker has a valid password and nowhere to go with it.

That difference translates into Loss Event Frequency, and Loss Event Frequency drives the risk number you need to make the investment case.

Building the ROI Case

Here is the practical structure I use when taking this to agency leadership or budget reviewers:

  1. Tier your agencies by cloud exposure. Which agencies have the most sensitive data in cloud environments? Which have the highest TEF based on CSOC telemetry and threat intel? Start there.

  2. Score current identity maturity against a simple rubric: legacy auth only, federated identity without MFA, federated identity with MFA, federated identity with phishing-resistant MFA. Four tiers. Fast to assess.

  3. Calculate the Vulnerability delta between where an agency sits now and where it would sit after full MFA enforcement. Use your own incident data where you have it. Use MS-ISAC and industry benchmarks where you do not.

  4. Apply TEF from your threat intelligence to estimate how often a successful attack is plausible in a 12-month window.

  5. Multiply through with a realistic loss magnitude estimate. Include incident response costs, notification costs, and the political cost of a breach at an agency handling sensitive citizen data. That last one is real in state government, even if it does not show up in a spreadsheet.

The output is a ranked list of agencies where accelerating MFA rollout produces the highest risk reduction per dollar spent. That is the conversation you want to be having with the State CIO and with agency heads.

What You Should Do Differently

Stop presenting identity security as a checklist. Start presenting it as a portfolio of risk positions that vary by agency.

Build a simple FAIR-based model for your environment. You do not need a PhD or expensive software to do a first-pass analysis. A spreadsheet with realistic TEF ranges, vulnerability estimates by maturity tier, and conservative loss magnitude assumptions will give you more defensible numbers than any compliance dashboard.

Use your CSOC telemetry as primary source data. The credential attack volume hitting your cloud tenants is real, it is measurable, and it directly calibrates your TEF estimates.

Then prioritize your rollout by risk delta, not by agency size, not by who asked first, and not by who has the most political pull.

The agencies that look identical on a compliance scorecard are not identical. The math shows the difference. Your job as CISO is to make that math visible before a breach makes it undeniable.

Back to All Insights