R03 — Phishing / Credential Theft

Q: How do security teams mitigate Phishing / Credential Theft?

In CISO Game, Phishing / Credential Theft is reduced by Identity (45%), Awareness (25%), Prevention (20%), Detection (10%) subscores. Real-world programs use the same control families, with category investments such as Basic EDR (entry-level prevention), Mid-Tier EDR (industry standard), Premium XDR (full endpoint+identity).

Q: Why does Phishing / Credential Theft matter to a CISO?

Severity 7 (Major). Phishing is where most external incidents start. Modern phishing has industrialized — phishing-as-a-service kits clone every major SaaS login, AiTM proxies harvest session cookies past MFA, and SEO-poisoned ads deliver malware via search-result clicks. Posture-side, the program needs phishing-resistant MFA (FIDO2/WebAuthn) plus user-side detection (suspicious-login behavioral analytics). Awareness training has a real but limited ceiling — by industry data, sustained programs pull click-rates from ~20% to ~3% but never to zero.

Stress-test Phishing / Credential Theft in the Standard run scenario Mid-size SaaS company. Balanced challenge.

Start playing →

R03 External Severity 7 · Major

Awareness + identity (MFA) are the heavy hitters.

What is Phishing / Credential Theft?

Awareness + identity (MFA) are the heavy hitters. CISO Game tracks this as R03 in the live risk register, severity 7 (Major), category External.

How does CISO Game model Phishing / Credential Theft?

Exposure for R03 runs from 0 to 100, recomputed live as you buy, cancel, or reassign products. How the exposure model works →

Real-world parallel

Phishing is where most external incidents start. Modern phishing has industrialized — phishing-as-a-service kits clone every major SaaS login, AiTM proxies harvest session cookies past MFA, and SEO-poisoned ads deliver malware via search-result clicks. Posture-side, the program needs phishing-resistant MFA (FIDO2/WebAuthn) plus user-side detection (suspicious-login behavioral analytics). Awareness training has a real but limited ceiling — by industry data, sustained programs pull click-rates from ~20% to ~3% but never to zero.

How do security teams mitigate Phishing / Credential Theft?

The dominant subscore levers for this risk are:

Identity subscore — weight 45%
Awareness subscore — weight 25%
Prevention subscore — weight 20%
Detection subscore — weight 10%

Which investments mitigate Phishing / Credential Theft?

Products in CISO Game that reduce exposure to R03:

Which related risks should you also watch?

Risks with similar dominant subscores or shared category — addressing one often helps the others:

Why does Phishing / Credential Theft matter to a CISO?

External adversarial risks like phishing / credential theft are the risks boards expect their CISO to talk about. They drive the strongest demand for detection + response capability and the strongest emotional response in the boardroom.

How can you test your mitigation strategy?

Click Play CISO Game free to see R03 appear live in your risk register and watch each purchase move the exposure number in real time. No signup required.

Stress-test Phishing / Credential Theft in the Standard run scenario →