How CISO Game works
CISO Game is grounded in a small number of mechanics that together model a 5-year cybersecurity strategy program. This page is the canonical reference for how exposure, posture, and the verdict are calculated — every risk and investment page links back here.
The five live metrics
Every quarter you watch five numbers move:
- Composite Posture (0–100) — weighted average of six subscores. Win condition at Q20 is ≥ 60.
- Board Confidence (0–100) — how much the board trusts your judgment. Falls below 20 for 3 consecutive quarters and you're fired. Win condition at Q20 is ≥ 30.
- Customer Trust (0–100) — external reputation. Moved by transparent disclosure choices, Trust Center investments, and bug bounty programs.
- Business Friction (0–100) — how much security is slowing the company down. High friction silently bleeds posture every quarter.
- Team Morale (0–100) — how the security team is doing. Low morale drags posture and erodes board confidence.
The six posture subscores
Composite Posture decomposes into six functional subscores aligned with NIST CSF 2.0:
- Detection (weight 20%) — your ability to see attacks in progress.
- Response (weight 18%) — how fast you can contain.
- Prevention (weight 18%) — how much you can stop before it lands.
- Identity (weight 16%) — IAM, IDP, PAM, MFA — the new perimeter.
- Recovery (weight 14%) — how fast you can be back online after an incident.
- Awareness (weight 14%) — the human attack surface, training, phishing simulation.
Each subscore starts at 30. Every product you buy contributes to one or more subscores, scaled by ramp (50% in the buy quarter, 100% after), team factor (30% if a required role is missing), orphan factor (50% if the deployment owner left), and overload factor (70% if the owner has too many products).
How risk exposure is calculated
This is the one formula that drives every risk register entry:
exposure = clamp(0, 100, 100 − total_reduction + offset)
Where total_reduction sums two layers:
- Posture layer: Σ
(subscore × mitigationWeight)for the six subscores. This is the passive baseline — every product that lifts a subscore reduces every risk that depends on that subscore, weighted by how much the risk depends on it. - Curated layer: Σ
(coveragePct × ramp × teamFactor × orphanFactor × overloadFactor)for every active mitigating product. This is the targeted reduction — products that explicitly mitigate a specific risk move it more than products that only contribute through posture.
The offset is a structural residual — exposure points that no product can fully remove. Zero-day risks, vendor monoculture, regulator unpredictability, and similar all carry an offset. Even at 100% posture, a risk with offset 30 still shows exposure ≥ 30.
Quarterly turn order
Each quarter runs the same loop: morale-decay tick → recompute posture and risk exposures → bill quarterly costs → check for year-end reconciliation → run any triggered events → update CISO responsibilities → check loss conditions → check victory if Q20.
Win and lose
At Q20 you need Composite Posture ≥ 60, Board Confidence ≥ 30, and cumulative overspend ≤ $500,000. You lose early if board confidence sits below 20 for 3 consecutive quarters or cumulative overspend exceeds $1,000,000.
The friction tax
Each quarter, every posture subscore loses (friction / 100) × 5 points to friction decay. At friction 100, that's 5 points per subscore per quarter — a major silent bleed. Friction is moved by DLP, MDM, PAM, architecture rollouts (up) and GRC hires (down). High friction is the most common silent program-killer for high-composite players who didn't watch it.
Diminishing returns
Subscore values above 80 are dampened toward an asymptote at 100. You can't grind a single subscore to 100 by buying more of one category — past 80 the marginal contribution shrinks. The model rewards balanced programs.
Try the simulator
Play CISO Game free — no signup, no install. Every metric on this page is visible live in the in-game Overview, with each purchase showing projected risk movement before you confirm. Confused by a term? See the glossary for plain-English definitions of every mechanic, role, and metric.