Cybersecurity Return on Investment: What K–12 Districts Should Measure
Cybersecurity Return on Investment: What K–12 Districts Should Measure
Publish Date: 2026-02-24 16:14:00
Source Domain: edtechmagazine.com
Multifactor Authentication and Phishing Metrics Show Success
Vermont is using specific operational metrics to measure whether cybersecurity investments are reducing risk across its K–12 school districts, says Lisa Helme, education programs division director at the Vermont Agency of Education (AOE).
The state focuses on indicators that reflect real improvements in security posture, particularly staff training, multifactor authentication adoption and incident readiness. Adoption of MFA has been one of the clearest measures of progress.
“In 2021, 35% of our school districts had MFA in place, compared with 79% today,” Helme says. The increase significantly reduces the risk of compromised accounts, one of the most common entry points for attackers.
The state also tracks whether districts have formal breach response plans, which define how to identify assets, evaluate exposure and respond to incidents. “In 2022 only 26% of our districts had any kind of a breach plan in place,” she says. “Today we’re at 58%.”
DISCOVER: See how K–12 districts can collaborate for greater cyber resilience.
Phishing simulations provide another key metric. Vermont deployed a statewide security awareness platform that allows districts to test and improve staff behavior. After running 214 awareness education campaigns and conducting 300 phishing simulations, the results show measurable improvement.
“When they first started, they had an open rate for these phishing emails of just over 32%, and that’s now dropped to 18%,” Helme says. “But that’s still too high.”
More encouraging, perhaps: The 44% open rate in another case has now dropped to 2%.
Firewalls and Artificial Intelligence–Driven Automation
Steele suggests districts focus on operational improvements such as streamlining security policies, optimizing firewall rules and leveraging AI-driven automation to dramatically enhance security posture.
Simplifying and consolidating toolsets reduces complexity and…
