R40 — Sanctions / Export-Control Violation

Q: How do security teams mitigate Sanctions / Export-Control Violation?

In CISO Game, Sanctions / Export-Control Violation is reduced by Prevention (30%), Detection (20%), Awareness (20%), Response (10%) subscores. Real-world programs use the same control families.

Q: Why does Sanctions / Export-Control Violation matter to a CISO?

Severity 8 (Major). Sanctions / export-control violation is the often-ignored risk for software companies — selling to a sanctioned entity (whether knowingly or through a reseller chain) carries criminal liability. The control is procurement-side and contract-side; CISO involvement is usually around access controls and audit-trail completeness for sanctions screening.

Stress-test Sanctions / Export-Control Violation in the Fintech IPO crunch scenario Tight budget, hawkish board, regulatory eye on you.

Start playing →

R40 Governance Severity 8 · Major Residual offset +10

What is Sanctions / Export-Control Violation?

OFAC, BIS dual-use, EU dual-use, UK sanctions. Selling to a sanctioned entity, exporting controlled crypto, or letting a sanctioned user access AI models. Dominant defense is GRC + identity-screening + awareness. CISO Game tracks this as R40 in the live risk register, severity 8 (Major), category Governance.

How does CISO Game model Sanctions / Export-Control Violation?

Exposure for R40 runs from 0 to 100, recomputed live as you buy, cancel, or reassign products. How the exposure model works →

Real-world parallel

Sanctions / export-control violation is the often-ignored risk for software companies — selling to a sanctioned entity (whether knowingly or through a reseller chain) carries criminal liability. The control is procurement-side and contract-side; CISO involvement is usually around access controls and audit-trail completeness for sanctions screening.

How do security teams mitigate Sanctions / Export-Control Violation?

The dominant subscore levers for this risk are:

Prevention subscore — weight 30%
Detection subscore — weight 20%
Awareness subscore — weight 20%
Response subscore — weight 10%

Residual offset: +10 exposure points are structural — no product fully removes them. Real-world parallels: zero-day windows, vendor monoculture, regulator unpredictability.

Which related risks should you also watch?

Risks with similar dominant subscores or shared category — addressing one often helps the others:

Why does Sanctions / Export-Control Violation matter to a CISO?

Governance risk is the structural risk that lives in audits, attestations, and board reporting. Sanctions / Export-Control Violation is the kind of risk that lands a CISO in front of a regulator regardless of how well their controls actually work.

How can you test your mitigation strategy?

Click Play CISO Game free to see R40 appear live in your risk register and watch each purchase move the exposure number in real time. No signup required.

Stress-test Sanctions / Export-Control Violation in the Fintech IPO crunch scenario →