@ret2bed @feld @jomo @lorenzofb I'm genuinely curious if there is some standard risk assessment practice to take into account that compromise of n% of users would provide access to data of, say (n^2)% of users (that function obviously doesn't work but you get the idea)?

Same question whether there are best practices for determining a threshold for "enforce MFA" or is it just "if you got breached, you definitely should've enforced it"?