How CISO Simulator works

Play CISO Simulator free Free · no signup · plays in 30–45 min

Cybersecurity posture in CISO Simulator is measured as a Composite Posture score from 0–100, computed as a weighted average of six subscores: Detection (20%), Response (18%), Prevention (18%), Identity (16%), Recovery (14%), and Awareness (14%). The six subscores align with NIST CSF 2.0 functional areas. Risk exposure is the inverse: 100 − total_reduction + offset, clamped to 0–100, recomputed live as investments and team changes move the underlying subscores.

CISO Simulator is grounded in a small number of mechanics that together model a 5-year cybersecurity strategy program. This page is the canonical reference for how exposure, posture, and the verdict are calculated — every risk and investment page links back here.

The five live metrics

Every quarter you watch five numbers move:

Composite Posture (0–100) — weighted average of six subscores. Win condition at Q20 is ≥ 60.
Board Confidence (0–100) — how much the board trusts your judgment. Falls below 20 for 3 consecutive quarters and you're fired. Win condition at Q20 is ≥ 30.
Customer Trust (0–100) — external reputation. Moved by transparent disclosure choices, Trust Center investments, and bug bounty programs.
Business Friction (0–100) — how much security is slowing the company down. High friction silently bleeds posture every quarter.
Team Morale (0–100) — how the security team is doing. Low morale drags posture and erodes board confidence.

The six posture subscores

Composite Posture decomposes into six functional subscores aligned with NIST CSF 2.0:

Detection (weight 20%) — your ability to see attacks in progress.
Response (weight 18%) — how fast you can contain.
Prevention (weight 18%) — how much you can stop before it lands.
Identity (weight 16%) — IAM, IDP, PAM, MFA — the new perimeter.
Recovery (weight 14%) — how fast you can be back online after an incident.
Awareness (weight 14%) — the human attack surface, training, phishing simulation.

Each subscore starts at 30. Every product you buy contributes to one or more subscores, scaled by ramp (50% in the buy quarter, 100% after), team factor (30% if a required role is missing), orphan factor (50% if the deployment owner left), and overload factor (70% if the owner has too many products).

How risk exposure is calculated

This is the one formula that drives every risk register entry:

exposure = clamp(0, 100, 100 − total_reduction + offset)

Where total_reduction sums two layers:

Posture layer: Σ (subscore × mitigationWeight) for the six subscores. This is the passive baseline — every product that lifts a subscore reduces every risk that depends on that subscore, weighted by how much the risk depends on it.
Curated layer: Σ (coveragePct × ramp × teamFactor × orphanFactor × overloadFactor) for every active mitigating product. This is the targeted reduction — products that explicitly mitigate a specific risk move it more than products that only contribute through posture.

The offset is a structural residual — exposure points that no product can fully remove. Zero-day risks, vendor monoculture, regulator unpredictability, and similar all carry an offset. Even at 100% posture, a risk with offset 30 still shows exposure ≥ 30.

Quarterly turn order

Each quarter runs the same loop: morale-decay tick → recompute posture and risk exposures → bill quarterly costs → check for year-end reconciliation → run any triggered events → update CISO responsibilities → check loss conditions → check victory if Q20.

Win and lose

At Q20 you need Composite Posture ≥ 70, Board Confidence ≥ 50, and cumulative overspend ≤ $350,000. You lose early if board confidence sits below 20 for 3 consecutive quarters or cumulative overspend exceeds $700,000.

The friction tax

Each quarter, every posture subscore loses (friction / 100) × 5 points to friction decay. At friction 100, that's 5 points per subscore per quarter — a major silent bleed. Friction is moved by DLP, MDM, PAM, architecture rollouts (up) and GRC hires (down). High friction is the most common silent program-killer for high-composite players who didn't watch it.

Diminishing returns

Subscore values above 80 are dampened toward an asymptote at 100. You can't grind a single subscore to 100 by buying more of one category — past 80 the marginal contribution shrinks. The model rewards balanced programs.

Try the simulator

Play CISO Simulator free — no signup, no install. Every metric on this page is visible live in the in-game Overview, with each purchase showing projected risk movement before you confirm. Confused by a term? See the glossary for plain-English definitions of every mechanic, role, and metric.

Play CISO Simulator free →