Download the Case Study. Explore the ROI. Transform Your Cybersecurity
Discover how the University of Arizona revolutionized its cyber risk management approach—and achieved over 1000% ROI.
The One-Hour Security Plan – A Case Study
In this real-world transformation story, you'll learn how a small team at the University of Arizona used Sibylity to:
- Implement a one-hour planning model that scaled across hundreds of resources.
- Shift from sporadic assessments to a continuous, inclusive risk management cycle.
- Empower resource teams while enabling central orchestration by security.
- Achieve broader coverage and deeper security insights—without adding staff.
Unlock Access
Tell us about yourself and your organization to get access to the case study and it's companion ROI calculator.
Contact Us
We will get back to you as soon as possible.
Please try again later.
Frequently Asked Questions
What is the One-Hour Security Plan?
It’s the story of how the University of Arizona redefined cyber risk management—shifting away from outdated, compliance-driven processes toward an agile, collaborative model. With Sibylity, they embedded security expertise into daily workflows, empowered resource teams, and developed effective security plans in just one hour per resource.
What results did the University of Arizona achieve?
93.75% time savings per security plan (from 16+ hours to 1 hour)
Who is this case study for?
CISOs, security and risk leaders, higher education institutions, and anyone seeking a scalable, economically viable model for cyber risk management.
Is the case study just about software?
Not at all. It’s about rethinking how security gets done—shifting ownership to resource teams, embedding just-in-time expertise, and building a culture of collaboration. Sibylity was the tool that made it possible, but the impact came from the transformation it enabled.
What does the ROI calculator do?
It estimates how much your organization could benefit—financially and operationally—by adopting the approach used at the University of Arizona. It models your potential risk reduction, efficiency gains, and overall ROI based on real-world data and your current organizational practices.
Do I need to know how to calculate ALE or breach costs?
No. The calculator guides you through key questions about your visibility, culture, procurement practices, and more—then translates your answers into impact estimates, using industry baselines and the same logic applied in the case study.
Is this calculator only for universities?
No. While the case study focuses on higher education, the principles behind Sibylity’s model—distributed responsibility, embedded expertise, and agile planning—apply broadly across sectors.
How accurate are the ROI estimates?
They’re grounded in validated sector data (like IBM’s breach cost report) and reflect conservative modeling assumptions. The calculator adjusts for confidence, overlap between factors, and your organization’s maturity to give you credible, scenario-based estimates.
What’s the difference between this and a traditional ROI tool?
Traditional tools often ask for hard-to-estimate breach costs or assume static savings. This calculator uses a branching activity model and organizational practice inputs to reflect how real change happens—and how deeply it can impact both cost and risk.
Is Sibylity required to achieve these outcomes?
The University of Arizona achieved their results using Sibylity, and the platform was purpose-built to support this model. However, the principles of the transformation—lean process design, distributed ownership, embedded guidance—can inspire improvements in any program.
Can I use the calculator output to justify a business case?
Yes. The calculator provides outputs that are ideal for board presentations, budget requests, and internal planning—quantifying risk reduction, efficiency, and total value.
What research inspired the University of Arizona’s new approach to cyber risk management?
The transformation drew on decades of research in cybersecurity economics, safety culture, and decision science. Foundational thinkers like Ross Anderson, Tyler Moore, Russell Thomas, and Ashley Bye provided critical insights into why traditional approaches fail—and how to design something that actually works.
Why does the case study reference Anderson and Moore’s “Economics of Information Security”?
Because it helps explain the root cause of many security program failures: misaligned incentives. Their work showed that when those responsible for managing systems aren’t empowered or motivated to handle security, risk persists. The UArizona model realigns responsibility with capability—putting resource teams in charge of planning while central teams guide and orchestrate.
What is the Branching Activity Model, and why is it used in the ROI calculator?
Developed by Thomas et al., the Branching Activity Model reframes breach impact as a probabilistic outcome of organizational behavior, not just static loss. This lets us model how improved planning, visibility, and culture can reduce both the severity and likelihood of security incidents. The calculator uses this to provide more realistic, behavior-sensitive ROI projections.
What role does security culture play in the model?
A major one. Research by Ashley Bye and others shows that engaged, collaborative security cultures lead to faster response times, better reporting, and stronger resilience. The UArizona approach prioritized cultural transformation—shifting from compliance checklists to ongoing risk-informed decision-making across the institution.
Is this just a theoretical model or does it reflect real-world practice?
This model has been fully operationalized. Sibylity, the platform developed from the UArizona initiative, translates these research insights into practical workflows, guidance, and automation—demonstrating that theory-informed design can lead to measurable, scalable results.
How do I get started with Sibylity?
Visit www.sibylsoft.com to request a demo, download whitepapers, or contact the team for a tailored consult.
