Cybersecurity risk register

A CISO's job runs against a register of named, prioritized risks. CISO Game tracks 52 of them live — every product purchase, hire, or event resolution moves their exposure scores in real time.

Why a risk register matters

Every mature security program is anchored to a risk register: a structured list of named threats with severity, likelihood, ownership, and mitigation status. The register is what the CISO carries into the boardroom, what auditors ask for, and what insurance carriers attest against. Without one, security work runs as a backlog of tooling decisions disconnected from the risks they actually address. CISO Game makes this connection visible — every investment links to the specific risks it mitigates, and every event in the simulation traces back to a risk that was inadequately covered.

How CISO Game's risk categories map to real frameworks

The eight categories below align loosely with NIST CSF 2.0 functional areas and MITRE ATT&CK enterprise tactics. External risks (R01–R08) cover adversarial action originating outside the company perimeter — ransomware, phishing, DDoS, supply chain. Identity covers authentication, authorization, and identity-provider concentration. Insider handles malicious or negligent authorized users. Data tracks confidentiality and integrity across all storage. Operational covers IT/OT and physical-cyber convergence. Resilience measures recovery readiness. Governance is the regulatory, audit, and compliance posture. AI is the newest category — only material when AI focus is enabled in the scenario.

What the severity score means

Severity runs 1–10. Catastrophic (9–10) risks like Ransomware (R01) and Supply Chain (R06) are program-ending if they materialize without preparation. Major (7–8) risks materially impact the program but are recoverable. Moderate (5–6) risks are persistent operational concerns. Limited (1–4) risks are background noise that the program should track but rarely act on directly. Severity is one input to exposure — the other is your current posture and which mitigating products you own. How exposure is calculated →

The full register

Click any risk for its mitigation profile, the investments that reduce its exposure, related risks with similar dominant subscores, and the scenarios where it appears prominently.

AI risks 11

• R24 Training Data Poisoningseverity 9
• R30 EU AI Act High-Risk Non-Conformityseverity 9
• R23 Prompt Injection / Jailbreakingseverity 8
• R25 Model Theft / IP Exfiltrationseverity 8
• R28 AI Supply Chain Compromiseseverity 8
• R31 Autonomous AI Agent Misuseseverity 8
• R27 Shadow AI / Unsanctioned LLM Useseverity 7
• R43 Insider AI Misuseseverity 7
• R47 AI Inventory Gapseverity 7
• R48 Third-Party Model Procurement DD Gapseverity 7
• R26 Hallucination → Misinformation Liabilityseverity 6

Data risks 9

• R13 Data Exfiltrationseverity 9
• R42 Secrets / Key-Management Failureseverity 8
• R15 Cloud Misconfigurationseverity 7
• R39 SaaS Security Posture / Tenant Misconfigurationseverity 7
• R14 Data Loss (accidental)severity 6
• R35 Post-Quantum Cryptographic Riskseverity 6
• R37 Mobile / BYOD Data Exposureseverity 6
• R50 Data Residency / Sovereignty Driftseverity 6
• R16 Shadow ITseverity 5

External risks 11

• R01 Ransomwareseverity 10
• R06 Supply Chain Compromiseseverity 9
• R07 Zero-Day Exploitationseverity 9
• R44 OSS Maintainer Takeover / Hostile Forkseverity 9
• R02 Business Email Compromise (BEC)severity 8
• R04 Web Application Attackseverity 8
• R38 API Abuse / Broken Object-Level Authorizationseverity 8
• R03 Phishing / Credential Theftseverity 7
• R08 Account Takeoverseverity 7
• R34 DDoS-Extortion / Layer-7 Abuseseverity 7
• R05 DDoSseverity 5

Governance risks 11

• R29 Regulatory Fine / DPA Actionseverity 9
• R17 Regulatory Non-Complianceseverity 8
• R40 Sanctions / Export-Control Violationseverity 8
• R19 M&A Integration / Diligence Failureseverity 7
• R36 Log Retention / Audit-Trail Failureseverity 7
• R49 Nth-Party Concentration Riskseverity 7
• R18 Audit Failureseverity 6
• R45 Risk Appetite & Strategy Gap (NIST CSF GV.RM)severity 6
• R51 Software Procurement Without Cyber-Attestationseverity 6
• R52 PQC Migration Plan Absence (Governance)severity 6
• R46 Policy & Oversight Gap (NIST CSF GV.PO/GV.OV)severity 5

Identity risks 1

• R33 Deepfake / Synthetic-Identity Fraudseverity 8

Insider risks 4

• R09 Insider Threatseverity 8
• R11 Lateral Movementseverity 8
• R10 Privilege Abuseseverity 7
• R12 Third-Party Access Riskseverity 7

Operational risks 2

• R32 OT / ICS Compromiseseverity 9
• R41 Identity Provider Outage / Compromiseseverity 8

Resilience risks 3

• R20 Recovery Failure (post-breach)severity 9
• R21 IR Capability Gapseverity 8
• R22 Business Continuity Failureseverity 8

Play CISO Game free →