CISO·SIM A Cybersecurity Investment Simulation · FY2009 – FY2016

You are the newly appointed Chief Information Security Officer of Meridian Logistics. Over eight fiscal years — 32 quarters — you must build a security programme that protects the company from a worsening threat landscape, all while answering to a board that measures you on results. Survive the full tenure without being removed, and do it well enough to build a personal fortune along the way.

1 The Two Budgets

Each fiscal year the board grants you two pools of money. The Change budget arrives in four quarterly instalments and buys new security controls and tier upgrades. The Run budget is granted once per year as a single lump and pays the recurring costs of running the programme — staff payroll and tooling licences. Unspent Change banks to a Capital Reserve each quarter; unspent Run banks only at year-end.

2 Controls & Threats

Ten threats — malware, ransomware, insider risk, APTs and more — each carry a likelihood and an impact. You counter them by deploying controls from the catalogue, mapped to the NIST functions Identify, Protect, Detect, Respond, Recover. Every control tier shows exactly what it does before you buy. Strong, broad coverage drives your residual risk down toward zero.

3 Staff & Satisfaction

Tools do not run themselves. Every control adds operational load to its function; fund staff from the Run budget to keep pace. Understaffed teams run controls at reduced efficacy and lose satisfaction through overwork. You may release roles to cut payroll, but it damages morale. If satisfaction stays critically low for a full year, mass resignations end your tenure.

4 The Board & the Landscape

Each year the board names a crown-jewel priority — a threat they care about most. Every quarter a threat-landscape inject also surges one threat, which often will not match the board's priority. You decide whether to re-allocate Run budget into an emergency control uplift, or ride it out. Threat events strike once a year and disrupt a team for two quarters.

5 Running a Quarter

Each quarter: review your risk register and the budget forecast, buy controls, adjust staffing, and respond to any injects. When ready, press Close Quarter / Run Threat Wave. The simulation rolls every threat, applies losses, and reports back. Losses accumulate — cross the board's rising loss tolerance and you are removed as CISO.

6 Your Career & Wealth

You earn a salary plus a performance bonus each year, scaled by board and staff satisfaction, efficiency and incidents — a bad year pays no bonus, a flawless year pays a large one, and strong years raise your base salary. Spend your earnings on personal perks, or invest in a fund that compounds — and sell it later.

How you win — and lose

Win: survive all 32 quarters. Your final grade reflects cumulative loss, board and staff satisfaction, landscape awareness and personal wealth.

Removed for losses: cumulative loss crosses the board's tolerance threshold.

Removed for morale: average staff satisfaction stays critically low for four straight quarters.

Opening move: FY2009 Q1 has no inject — use it to study the risk register and the control catalogue, then invest in broad, high-value controls before the first threat wave hits.

You can reopen this guide any time with the ? Guide button.
CISO·SIM 2009 – 2016 Cyber Risk Model
FY 2009
QUARTER Q1
TURN 1 / 32
Cumulative Loss / Tolerance
$0k / $0k
Change Budget · Quarterly
$0k
for new controls & upgrades
Run Budget · Annual
$0k
staffing & licensing
Annual Loss Expectancy
$0k
residual exposure
Security Posture
0/100
control maturity index
Capital Reserve
$0k
absorbs breach losses
Mean Time to Detect
0d
lower = smaller blast radius

CISO Staffing & Operations

Deployed tools are only as good as the people running them. Every control tier adds operational load to its NIST function. Fund staffing from the Run budget to keep pace — understaffed teams run controls at reduced efficacy and lose satisfaction through overwork. You can release roles to cut payroll, but doing so damages morale sharply. A team whose satisfaction stays critically low ends your tenure.

Personal Finances

Your own compensation — base salary plus a performance bonus paid each fiscal year-end, scaled by board satisfaction, staff satisfaction, capital efficiency and incidents. A flawless year pays a large bonus; a bad year pays none. Spend your earnings on personal perks, or invest in a managed fund that compounds — and sell it later.

Control Catalog

0 controls deployed
Controls are mapped to NIST CSF function and MITRE D3FEND tactic. The catalog evolves year by year — some controls do not yet exist early in the timeline. Each control has named tiers; the next tier's exact effect is shown before purchase. Unspent budget transfers to the Capital Reserve, which absorbs breach losses.

Risk Register

Residual risk per threat scenario. The register evolves as the threat landscape changes through the timeline.

Exposure Model

Event Log

Change budget is topped up each quarter. Run budget is allocated once per year and must last all four quarters. Licensing and payroll are charged from Run. Unspent Change banks to reserve each quarter; unspent Run banks only at year-end.