CybeRisk

// GROUNDED IN REALITY

Built on industry standards

Every attacker technique, defender countermeasure, threat actor profile, breach cost, and IP address scheme in CybeRisk is derived from authoritative real-world frameworks used by security professionals worldwide. This page explains which standard governs what.

MITRE ATT&CK®

mitre.org/attack

A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK defines the playbooks attackers actually use — from initial access through exfiltration.

USED IN CYBERISK FOR

  • → Every attacker shop item carries a MITRE technique ID (e.g. T1566 for phishing)
  • → Attacker nation selection references documented ATT&CK threat groups
  • → Attacker archetype behaviours map to ATT&CK group profiles (FIN7, APT28, Lazarus…)

VERIS

Vocabulary for Event Recording and Incident Sharing

The schema behind the Verizon Data Breach Investigations Report (DBIR). VERIS classifies threat actors (who), actions (what), assets (where), and attributes (impact). It is the industry standard for breach incident taxonomy.

USED IN CYBERISK FOR

  • → All five attacker archetypes map to a VERIS threat-actor category
  • → CISO defender archetype maps to VERIS Internal › Leadership
  • → Breach outcome classifications (confidentiality, integrity, availability)

NIST CSF 2.0

National Institute of Standards and Technology — Cybersecurity Framework

The US federal standard for cybersecurity risk management, widely adopted globally. CSF 2.0 organises security activities into six functions: Govern, Identify, Protect, Detect, Respond, Recover.

USED IN CYBERISK FOR

  • → Every defender shop item is tagged with its NIST CSF function (PR.AT, DE.CM, RS.RP…)
  • → Defender action categories (Identify, Protect, Detect, Respond) follow CSF structure
  • → Compliance items reference specific sub-categories (SOC 2 → GV.RM, EDR → DE.CM)

IBM Cost of a Data Breach 2024

Ponemon Institute — annual industry benchmark

The longest-running study of real-world data breach costs, covering 604 organisations across 17 industries and 17 countries. The 2024 report found a global average breach cost of $4.88M, with healthcare as the most expensive sector for the 13th consecutive year ($10.93M).

USED IN CYBERISK FOR

  • → Industry breach payout values are Ponemon-scaled (Healthcare $250K, Education $65K…)
  • → Industry attack surface and security maturity scores reflect Ponemon sector benchmarks
  • → Mandatory compliance costs reflect real industry regulatory spend

RFC 5737 / RFC 3849

IANA documentation address ranges

IANA reserves specific IP address ranges exclusively for documentation, examples, and fictional scenarios — guaranteed never to be routed on the public internet. RFC 5737 defines 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 for IPv4. RFC 3849 defines 2001:db8::/32 for IPv6.

USED IN CYBERISK FOR

  • → All in-game IPv4 addresses use the 203.x.x.x documentation range
  • → All in-game IPv6 prefixes use 2001:db8:: documentation space
  • → Addresses are deterministic (SHA-256 hash of profile + service key) and stable across sessions

GDPR / Industry Compliance Regimes

PCI-DSS · HIPAA · SOX · FedRAMP · NERC CIP · ISO 27001 · SOC 2 · and more

Real regulatory frameworks that impose mandatory costs on organisations operating in specific industries or countries. Each framework has different scope, penalty structures, and audit requirements — all of which affect the defender's budget.

USED IN CYBERISK FOR

  • → Mandatory compliance costs locked from day-1 defender budget (PCI-DSS for Retail, HIPAA for Healthcare…)
  • → Country expansion compliance costs scaled by each nation's regulatory regime
  • → Defender shop items reference the certifications they satisfy (ISO 27001, SOC 2, FedRAMP)

// ATTACKER SHOP — MITRE ATT&CK CROSS-REFERENCE

Every item an attacker can purchase maps to a real ATT&CK technique. This is not flavour text — the technique ID defines which defender controls counter it.

Phishing Kit

Initial Access

$500

T1566

VPN / Proxy Chain

Defense Evasion

$800

T1090

Credential Dump

Credential Access

$1,000

T1589

Social Engineering Script

Reconnaissance

$1,500

T1598

Known CVE Exploit

Exploitation

$2,000

T1190

C2 Infrastructure

Command & Control

$3,000

T1583.003

Botnet — 500 nodes

Resource Development

$5,000

T1583.005

Custom Malware Loader

Execution

$8,000

T1059

Ransomware-as-a-Service

Impact — generates income

$10,000

T1486

Insider Recruit

Privilege Escalation

$15,000

T1078.001

Botnet — 10K nodes

Resource Development

$20,000

T1583.005

Zero-Day Exploit

Exploitation

$50,000

T1190

// DEFENDER SHOP — NIST CSF 2.0 CROSS-REFERENCE

Every defender investment maps to a NIST CSF 2.0 function. GV = Govern, ID = Identify, PR = Protect, DE = Detect, RS = Respond, RC = Recover.

Security Awareness Training

People — Protect

$2,000

PR.AT

MFA Rollout

Identity — Protect

$3,000

PR.AC

Web Application Firewall

Network — Protect

$4,000

PR.PT

Threat Intelligence Feed

Risk Assessment — Identify

$6,000

ID.RA

Deception Technology

Continuous Monitoring — Detect

$7,000

DE.CM

EDR Solution

Continuous Monitoring — Detect

$8,000

DE.CM

Data Loss Prevention

Data Security — Protect

$9,000

PR.DS

ISO 27001 Certification

Risk Management — Govern

$10,000

GV.RM

Cyber Insurance Policy

Mitigation — Respond

$12,000

RS.MI

SOC 2 Audit

Risk Management — Govern

$12,000

GV.RM

SIEM Platform

Anomalies & Events — Detect

$15,000

DE.AE

Penetration Test

Risk Assessment — Identify

$15,000

ID.RA

SOAR Platform

Mitigation — Respond

$18,000

RS.MI

IR Retainer 24/7

Response Planning — Respond

$20,000

RS.RP