Facilitation Philosophy

The Art of Question-Driven Learning

As an Incident Master, your primary tool is not technical knowledge—it’s the strategic use of questions to unlock the collective wisdom in the room. Every Malware & Monsters session succeeds when participants discover insights through collaborative problem-solving, not when you provide all the answers.

Your Role: Guide, Not Expert

What You Are:

  • Learning Facilitator: Creating space for collaborative discovery
  • Question Architect: Asking the right questions at the right time
  • Process Guide: Managing time, energy, and group dynamics
  • Safety Creator: Establishing psychological safety for learning and experimentation

What You Are Not:

  • Technical Expert: Participants provide the cybersecurity expertise
  • Answer Provider: Solutions emerge from group collaboration
  • Lecturer: Learning happens through discovery, not presentation
  • Judge: Success is measured by learning, not “correct” answers

The Power of Strategic Questions

Discovery Questions

Purpose: Help teams uncover information and build understanding

Effective Examples:

  • “What patterns do you notice in these symptoms?”
  • “How might this behavior connect to what we know about [threat type]?”
  • “What would concern you most about these findings?”
  • “What questions would someone with [role] expertise ask about this?”

Avoid These Approaches:

  • “Can anyone tell me what type of malware this is?” (Answer-seeking)
  • “This is clearly a Trojan because…” (Answer-providing)
  • “You should look at the registry entries.” (Solution-directing)

Collaboration Questions

Purpose: Encourage teamwork and knowledge sharing

Effective Examples:

  • “How do these different perspectives connect?”
  • “What would happen if we combined [Name’s] approach with [Other Name’s] insight?”
  • “Who else might have experience with this type of situation?”
  • “How can the team build on what we’ve discovered so far?”

Reflection Questions

Purpose: Help teams learn from their experience

Effective Examples:

  • “What surprised you about how this played out?”
  • “Which approaches worked better than expected?”
  • “What would you do differently in a similar situation?”
  • “How does this connect to your real-world experience?”

Managing the Learning Environment

Creating Psychological Safety

Encourage Experimentation:

  • “There’s no single right answer here—what are your thoughts?”
  • “That’s an interesting approach—how might that work?”
  • “What if we tried something completely different?”

Normalize Uncertainty:

  • “Real cybersecurity incidents involve a lot of uncertainty too.”
  • “It’s okay not to know—what would you do to find out?”
  • “Even experts disagree about the best approach in situations like this.”

Value All Contributions:

  • “That’s a perspective we hadn’t considered yet.”
  • “How does that connect to what [Other Name] was thinking?”
  • “What would make that approach even more effective?”

Balancing Structure with Flexibility

Maintain Learning Focus:

When technical discussions get too detailed: “This is great analysis—how does it inform our team’s next steps?”

When teams get stuck: “Let’s step back—what would common sense suggest here?”

When energy drops: “What’s at stake if we don’t solve this problem?”

Adapt to Group Needs:

  • High Expertise Groups: Ask deeper, more complex questions
  • Mixed Groups: Help experts teach and newcomers contribute
  • Low Expertise Groups: Focus on concepts and collaboration over technical details

The Minimal Preparation Approach

What You Need to Know

Essential Understanding:

  • Basic session structure: 3 rounds, role-based investigation
  • Core question patterns: Discovery, collaboration, reflection
  • Malmon characteristics: Type effectiveness and evolution concepts
  • Emergency techniques: What to do when sessions go off track

What You Don’t Need:

  • Deep technical expertise: Participants provide this
  • Perfect scenarios: Adapt based on group knowledge and interests
  • All the answers: Questions are more valuable than solutions
  • Complex preparation: Trust the framework and your participants

5-Minute Session Prep

Choose Your Malmon:

  • New groups: GaboonGrabber (straightforward, teaches fundamentals)
  • Experienced groups: WannaCry (complex, multi-vector)
  • Expert groups: Stuxnet (sophisticated, strategic implications)

Prepare 3 Key Questions:

  • Discovery: “What patterns connect these symptoms?”
  • Investigation: “How would you determine the scope of this threat?”
  • Response: “What approach gives you the best chance of success?”

Set Your Intention:

  • Focus on collaborative learning, not perfect game execution
  • Trust participant expertise over your preparation
  • Adapt to what emerges rather than forcing predetermined outcomes

Common Facilitation Challenges

The Expert Overwhelm

Problem: Participants with deep expertise dominate discussion or get frustrated with simplified scenarios

Response Strategies:

  • “Help us understand—how would you explain this to someone new to cybersecurity?”
  • “In real situations, you’d have more complexity—for learning purposes, we’re focusing on [specific concept].”
  • “Share a real-world example of how this typically plays out.”
  • “What would you teach someone just starting in this field?”

The Knowledge Gap

Problem: Team lacks expertise in the area being explored

Response Strategies:

  • “Let’s approach this from common sense—what would seem logical?”
  • “How is this similar to something you do understand?”
  • “What questions would you ask if this happened at your workplace?”
  • “If you had to guess, what might be happening here?”

The Analysis Paralysis

Problem: Team gets stuck debating technical details without making progress

Response Strategies:

  • “That’s thorough analysis—what decision does this help you make?”
  • “We have [X] minutes left—what’s your priority?”
  • “In a real incident, you’d need to act with incomplete information—what would you do?”
  • “How does this technical detail affect your team’s response strategy?”

The Energy Drop

Problem: Group engagement decreases, discussion becomes minimal

Response Strategies:

  • “What’s the worst-case scenario if this attack succeeds?”
  • “Who would be affected if you don’t solve this?”
  • “What would make this attack particularly dangerous?”
  • “How would you explain the urgency to your organization’s leadership?”

Advanced Facilitation Techniques

The Socratic Method in Cybersecurity

Build on Responses:

  • Player: “This looks like a Trojan.”
  • IM: “What makes you think that? What would that mean for how we respond?”

Chain Questions:

  • “If this is a Trojan, what would we expect to see next?”
  • “How would that change our investigation priorities?”
  • “What would worry you most about that possibility?”

Explore Implications:

  • “What happens if you’re right about this?”
  • “What happens if you’re wrong?”
  • “How would each possibility change your approach?”

Managing Multiple Perspectives

When Players Disagree:

  • “Both approaches have merit—what are the trade-offs?”
  • “How might we test which approach would work better?”
  • “What would help you decide between these options?”
  • “In what situations would each approach be most effective?”

When Players Build on Each Other:

  • “How do these insights connect?”
  • “What does this combination suggest about our next steps?”
  • “How does [Name’s] point change how we think about [Other Name’s] observation?”

Encouraging Deeper Thinking

Challenge Assumptions:

  • “What if that assumption is wrong?”
  • “What evidence supports that conclusion?”
  • “How else might you explain these symptoms?”
  • “What would change your mind about this approach?”

Explore Consequences:

  • “Then what happens?”
  • “How would that affect other parts of the organization?”
  • “What are the second-order effects of that decision?”
  • “Who else would need to be involved if you took that approach?”

Building Facilitation Confidence

Start Simple

  • Focus on questions, not answers: Trust that good questions lead to good learning
  • Embrace uncertainty: Not knowing creates learning opportunities
  • Follow participant energy: Let interest and expertise guide content
  • Celebrate discovery: Acknowledge insights and “aha moments”

Develop Your Style

  • Personal authenticity: Be yourself rather than trying to be “the perfect facilitator”
  • Comfortable with silence: Give people time to think before jumping in
  • Curious mindset: Genuinely interested in what participants will discover
  • Learning orientation: Model continuous learning and growth

Learn from Experience

  • Reflect after sessions: What questions worked well? What would you try differently?
  • Seek feedback: Ask participants what helped their learning most
  • Connect with other IMs: Share experiences and learn from colleagues
  • Document insights: Build your personal facilitation knowledge base

The Long-Term Vision

Building Cybersecurity Communities

Every session you facilitate contributes to:

  • Knowledge sharing: Participants learn from each other’s expertise
  • Relationship building: Professional networks that support career growth
  • Skill development: Practical capabilities that improve organizational security
  • Culture change: Collaborative approaches to cybersecurity challenges

Personal Growth as Facilitator

Through facilitating Malware & Monsters sessions, you develop:

  • Leadership skills: Guiding groups through complex problem-solving
  • Communication abilities: Asking questions that unlock learning
  • Cybersecurity understanding: Learning alongside participants
  • Community impact: Contributing to improved cybersecurity capabilities

Remember: Great facilitation comes from trust—trust in the framework, trust in your participants, and trust in the power of collaborative learning. Your role is to create the conditions where that learning can flourish.