R35 — Post-Quantum Cryptographic Risk

Q: How do security teams mitigate Post-Quantum Cryptographic Risk?

In CISO Game, Post-Quantum Cryptographic Risk is reduced by Prevention (55%), Identity (10%), Awareness (10%), Detection (5%) subscores. Real-world programs use the same control families, with category investments such as ISO 27001, AI Governance & ISO 42001 program, FedRAMP Moderate ATO.

Q: Why does Post-Quantum Cryptographic Risk matter to a CISO?

Severity 6 (Moderate). Post-quantum cryptographic risk is the long-horizon threat that current public-key crypto becomes breakable when sufficiently capable quantum computers arrive. Harvest-now-decrypt-later attacks mean the timeline matters today for any data with multi-decade confidentiality requirements. NIST's PQC standards (CRYSTALS-Kyber, CRYSTALS-Dilithium) are now finalizing; the program work is migration planning, not panic.

Stress-test Post-Quantum Cryptographic Risk in the Standard run scenario Mid-size SaaS company. Balanced challenge.

Start playing →

R35 Data Severity 6 · Moderate Residual offset +20

Adversaries harvest TLS-encrypted captures today to decrypt once cryptographically-relevant quantum computers arrive. NIST has finalized ML-KEM/ML-DSA (FIPS 203/204); migration to hybrid PQC is the dominant control. Residual is large and slow to retire because legacy systems, embedded devices, and long-lived signed artifacts cannot be re-signed quickly.

What is Post-Quantum Cryptographic Risk?

How does CISO Game model Post-Quantum Cryptographic Risk?

Exposure for R35 runs from 0 to 100, recomputed live as you buy, cancel, or reassign products. How the exposure model works →

Real-world parallel

Post-quantum cryptographic risk is the long-horizon threat that current public-key crypto becomes breakable when sufficiently capable quantum computers arrive. Harvest-now-decrypt-later attacks mean the timeline matters today for any data with multi-decade confidentiality requirements. NIST's PQC standards (CRYSTALS-Kyber, CRYSTALS-Dilithium) are now finalizing; the program work is migration planning, not panic.

How do security teams mitigate Post-Quantum Cryptographic Risk?

The dominant subscore levers for this risk are:

Prevention subscore — weight 55%
Identity subscore — weight 10%
Awareness subscore — weight 10%
Detection subscore — weight 5%

Residual offset: +20 exposure points are structural — no product fully removes them. Real-world parallels: zero-day windows, vendor monoculture, regulator unpredictability.

Sector-specific: only material when the company's tech profile is one of: Government, Healthcare, Manufacturing, On-Prem Traditional.

Which investments mitigate Post-Quantum Cryptographic Risk?

Products in CISO Game that reduce exposure to R35:

Which related risks should you also watch?

Risks with similar dominant subscores or shared category — addressing one often helps the others:

Why does Post-Quantum Cryptographic Risk matter to a CISO?

Data risk is what shows up in the news and the regulator's letter. Post-Quantum Cryptographic Risk compounds with disclosure timing, customer-trust impact, and downstream litigation.

How can you test your mitigation strategy?

Click Play CISO Game free to see R35 appear live in your risk register and watch each purchase move the exposure number in real time. No signup required.

Stress-test Post-Quantum Cryptographic Risk in the Standard run scenario →