Sly Flourish Principles for Security Training Platform Facilitation

The Lazy IM Philosophy

The most effective cybersecurity facilitators are often the “laziest” - not because they don’t care, but because they’ve learned that minimal preparation creates maximum engagement. This counterintuitive approach, adapted from Sly Flourish’s lazy Dungeon Master methodology, transforms how we approach cybersecurity education.

Why Less Preparation Works Better

Traditional approach: Detailed scenarios, scripted responses, predetermined outcomes
Lazy IM approach: Minimal setup, player-driven content, emergent storytelling

The lazy approach works because:

Player expertise drives content: Your participants know more collectively than you do individually
Authentic scenarios emerge: Real experiences create better learning than fictional ones
Engagement increases: People invest more in stories they help create
Adaptability improves: Less rigid preparation means better response to group needs

The 5-Minute Preparation Method

The Complete Workflow

Minute 1: Organization Context
Choose or let group decide:

Industry type (healthcare, finance, manufacturing, etc.)
Organization size (startup, mid-size, enterprise)
What they protect (customer data, intellectual property, critical infrastructure)

Minute 2: Symptom Selection
Pick 2-3 observable symptoms from the bank:

Performance issues (slow computers, network lag)
User reports (strange emails, unexpected pop-ups)
System anomalies (new processes, unusual traffic)

Minutes 3-4: Malmon Choice
Select based on:

Group expertise level
Learning objectives
Available time
Your comfort level

Minute 5: Mental Preparation
Review:

Type effectiveness for chosen Malmon
Key question patterns
Potential evolution triggers

Emergency 2-Minute Prep

When you have even less time:

30 seconds: “Mid-sized company, computers acting weird”
30 seconds: Pick familiar Malmon (GaboonGrabber for beginners)
60 seconds: Remember: ask questions, don’t provide answers

Question-Driven Discovery

The Core Principle

Never provide information that players can discover themselves.
Instead of saying: “Process injection is when malware hides inside legitimate processes” Ask instead: “Marcus, you found programs using way more memory than normal - what could that mean?”

Universal Question Patterns

Discovery Phase Questions

“What’s the first thing that would seem unusual?”
“Who would typically notice this kind of problem first?”
“What pattern suggests this isn’t normal behavior?”
“Based on your experience, what would worry you most here?”

Investigation Phase Questions

“What would this threat need to accomplish its goals?”
“How might this connect to what we found earlier?”
“What would you investigate next in your real job?”
“What tools would help here?”

Response Phase Questions

“What’s your biggest constraint right now?”
“What could go wrong with this approach?”
“Who else would need to be involved?”
“How would you coordinate this in the real world?”

The Question Transformation Technique

Turn any technical concept into a discovery question:

Concept: Digital signatures
Bad: “This file has no digital signature, which means…”
Good: “This file has no digital signature - what does that suggest?”

Concept: Command and control servers
Bad: “The malware is communicating with its C2 server”
Good: “Something’s sending data to an external server regularly - thoughts?”

Storytelling as the Learning Engine

Why Storytelling Matters in Cybersecurity Education

Technical cybersecurity concepts become memorable and meaningful when embedded in human stories. The most effective incident response training doesn’t just teach tools and techniques - it places learners inside compelling narratives where those skills matter.

Storytelling transforms learning because:

Emotional engagement: Stories create investment in outcomes
Memory anchoring: Narrative context helps retain technical details
Professional relevance: Realistic scenarios connect to actual work experience
Collaborative discovery: Groups naturally build on story elements together
Mistake tolerance: Story context makes errors feel like plot developments rather than failures

The Professional Story Framework

Every effective Malware & Monsters scenario follows a three-act structure that mirrors real incident response:

Act 1: The Setup (Discovery Phase)

Hook: Why is this happening NOW? - Time pressure: “Hospital goes live Monday morning…” - Business stakes: “Customer data processing deadline Friday…”
- Organizational tension: “Under audit pressure, IT approved…”

Characters: Who has skin in the game? - Primary stakeholder with clear motivations - Secondary stakeholders with competing priorities - External pressure sources (regulators, customers, executives)

Act 2: The Investigation (Crisis Escalation)

Rising tension: What gets worse if not addressed? - Technical escalation: threat spreads, damage increases - Business pressure: deadlines approach, stakes rise - Political complexity: stakeholders disagree, blame emerges

Discovery moments: What do players uncover? - Technical artifacts that tell a story - Timeline reconstruction that reveals attack progression - Connection moments where pieces fit together

Act 3: The Resolution (Response and Recovery)

Climax: Decisive action under pressure - Containment decisions with imperfect information - Resource allocation under time constraints - Coordination across competing priorities

Resolution: Aftermath and learning - Impact assessment and lessons learned - Prevention planning and organizational improvement - Professional growth and capability development

Storytelling Techniques for IMs

Show, Don’t Tell

Instead of: “This is a polymorphic malware”
Try: “Each sample looks slightly different, like it’s changing itself somehow”

Instead of: “The attack uses privilege escalation”
Try: “It started with a regular user account, but now it’s accessing admin areas”

Character Motivation Drives Plot

IT Director perspective: “We can’t take systems down during quarter-end processing”
CISO perspective: “If this breaches customer data, regulatory penalties could be massive”
Operations perspective: “Production lines stop if the network goes down”

Professional Authenticity

Draw scenarios from: - Real organizational pressures participants recognize - Industry-specific constraints and timelines
- Authentic stakeholder dynamics and competing priorities - Technical situations that feel familiar yet challenging

Collaborative Story Building

Player contributions become canon: When players add realistic details, incorporate them
“Yes, and…” approach: Build on player ideas rather than correcting them
Shared narrative ownership: Let groups shape organizational context and character motivations

Using Hooks to Create Immediate Investment

Time Pressure Hooks

“The merger announcement goes public tomorrow morning…”
“Patient admissions resume after the holiday weekend…”
“Payroll processing for 5,000 employees starts in 6 hours…”

Professional Stakes Hooks

“Your reputation with the client depends on smooth deployment…”
“The audit team arrives first thing Monday…”
“Executive leadership is already asking questions…”

Human Impact Hooks

“Night shift nurses can’t access patient records…”
“Customer service is fielding angry calls about system outages…”
“Remote workers can’t connect for the morning standup…”

Secrets and Clues Implementation

The heart of Sly Flourish methodology is secrets and clues - concrete information that explains what happened and drives investigation forward. Each secret answers a “why” or “how” question, and multiple clues lead to each secret.

The Three-Layer Secret Structure

Layer 1: Surface Secrets (Discovered through initial investigation) - Secret: “The attack succeeded because IT was under extreme pressure to approve software quickly” - Clues leading to this secret: - Email chains showing rushed approval processes - Staff mentioning “cutting corners” for the deadline - IT Director’s defensive responses about approval procedures - System logs showing normal security checks were bypassed

Layer 2: Deeper Secrets (Revealed through persistent investigation) - Secret: “Management has been systematically undermining security practices for months” - Clues leading to this secret: - Financial records showing security training budget cuts - Staff interviews revealing previous incidents covered up - Executive communications prioritizing speed over security - Pattern of successful social engineering attempts

Layer 3: Root Cause Secrets (Uncovered through comprehensive analysis) - Secret: “The organization’s culture creates conditions where these attacks inevitably succeed” - Clues leading to this secret: - Employee turnover in security roles - Lack of incident response procedures - Executive compensation tied to short-term delivery goals - Previous attacks that weren’t properly addressed

Practical Secret Development for M&M Sessions

For GaboonGrabber Healthcare Scenario:

Secret 1: “The software appeared legitimate because it was distributed through a compromised healthcare vendor” Clues: - Vendor logo and branding match legitimate company - Download came from vendor’s actual domain (after compromise) - Staff recognized vendor name from previous legitimate communications - Certificate appears valid but was issued after domain compromise

Secret 2: “IT staff bypassed normal validation because of patient safety pressure” Clues: - Hospital leadership emphasized “patient care depends on system go-live” - Previous delays had caused criticism from medical staff - IT Director received explicit instruction to “make it work regardless” - Normal approval committees were skipped for “emergency deployment”

Secret 3: “The attack specifically targeted healthcare organizations during high-pressure periods” Clues: - Similar incidents at other hospitals during go-live periods - Malware specifically designed to evade healthcare security tools - Timing coincides with industry-wide EMR implementation deadline - Threat actor demonstrated knowledge of healthcare operational cycles

Clue Distribution Strategy

Scatter clues across investigation paths: - Detective findings: Digital forensics reveal technical artifacts - Protector discoveries: System analysis shows security control failures - Tracker observations: Network analysis reveals communication patterns - Communicator interviews: Stakeholder conversations reveal organizational pressures - Crisis Manager research: Business analysis reveals strategic contexts - Threat Hunter insights: Advanced analysis reveals attribution clues

Make clues discoverable through player expertise: - Technical staff find technical clues naturally - Business professionals notice organizational pressure clues - Mixed groups collaborate to connect different clue types - Questions help groups discover clues they’re positioned to find

Storytelling Recovery Techniques

When Groups Get Lost in Technical Details

Zoom out to story: “Let’s step back - what’s the impact on the organization?”
Character perspective: “What would the IT Director be thinking right now?”
Time pressure: “Meanwhile, the deadline is still approaching…”
Secrets focus: “What does this technical finding tell us about why the attack succeeded?”

When Interest Drops

Escalate stakes: “Just as you think you have it contained…”
Add human element: “End users are starting to complain about…”
Introduce urgency: “Executive leadership just called a meeting…”
Reveal deeper secrets: “This investigation is uncovering something bigger…”

When Groups Move Too Fast

Slow with story: “Before we implement that, what would Legal say?”
Add complexity: “That’s a good plan, but what about the compliance requirements?”
Character perspective: “How would you explain this decision to the CEO?”
Unresolved secrets: “What still doesn’t make sense about how this attack succeeded?”

Using Player Expertise as Your Content Engine

The Expertise Extraction Method

Direct Consultation

“Sarah, given your SOC experience, what would you check first?”
“Alex, from a network perspective, what concerns you about this traffic?”

Experience Mining

“Has anyone dealt with something similar?”
“What does this remind you of from your work?”
“Who here has seen [relevant technology] before?”

Collaborative Building

“Let’s think through this together…”
“What would the group recommend here?”
“How would you approach this as a team?”

When Nobody Knows

The Progressive Revelation Technique

Layer 1: Simplify the question
Original: “How would you detect fileless malware?”
Simplified: “How would you notice something running that isn’t supposed to be there?”

Layer 2: Provide context clues
“Think about it - if malware is hiding in memory, what might give it away?”

Layer 3: Multiple choice framework
“Would you be more concerned about: A) New files appearing, B) Processes using unusual memory, or C) Network connections to unknown servers?”

Layer 4: Graceful teaching moment
“This is actually a great learning opportunity. In the real world, security professionals look for…”

Practical Secrets and Clues Preparation

The 5-Minute Secret Development Process

Step 1 (60 seconds): Define the Core Question What’s the one thing that explains why this attack succeeded? - Example: “Why did experienced IT staff fall for obvious social engineering?”

Step 2 (90 seconds): Create the Answer (Secret)
- Secret: “IT was under extreme deadline pressure that made normal security validation impossible”

Step 3 (90 seconds): Scatter 4-6 Clues - Email: “Need this approved by EOD or project fails” - Interview: “We’ve been working 80-hour weeks”
- System: Security scan skipped in deployment logs - Business: Patient safety depends on Monday go-live - Financial: Penalty clauses for late delivery

Step 4 (60 seconds): Plan Discovery Methods - Detective: Finds deployment logs and email chains - Communicator: Interviews reveal deadline pressure - Crisis Manager: Discovers business pressures and penalties

Step 5 (30 seconds): Prepare Follow-up Questions - “What pressure would make experienced IT staff cut corners?” - “How would deadline stress affect security decision-making?”

Secret Templates for Common M&M Scenarios

Trojan/Social Engineering Scenarios

Template Secret: “The deception succeeded because [organizational pressure] made [normal security practice] impossible”

GaboonGrabber Healthcare Example: - Secret: “Hospital staff clicked malicious links because patient safety pressure overrode security training” - Clues: Emergency protocols, patient criticality, staff exhaustion, management pressure

FakeBat Financial Example: - Secret: “Banking staff installed fake software because regulatory deadline made normal approval process too slow” - Clues: Audit timeline, compliance requirements, executive pressure, process shortcuts

Worm/Propagation Scenarios

Template Secret: “The worm spread because [security control] was disabled for [business reason]”

WannaCry Manufacturing Example: - Secret: “Network segmentation was disabled to meet production deadlines, allowing worm propagation” - Clues: Production schedules, network changes, efficiency demands, cost pressures

Ransomware Scenarios

Template Secret: “The ransomware succeeded because [backup/recovery system] failed due to [organizational issue]”

LockBit Education Example: - Secret: “Backups were compromised because budget cuts eliminated proper backup testing and monitoring” - Clues: Budget documents, untested backups, staff reductions, maintenance deferrals

Advanced Secrets and Clues Techniques

The Interconnected Secrets Method

Create secrets that build on each other for deeper investigation:

Secret Level 1: “Attack succeeded due to software approval shortcuts” Secret Level 2: “Shortcuts were mandated by unrealistic management deadlines”
Secret Level 3: “Deadlines exist because organization culture prioritizes appearance over substance”

Each level explains the previous and leads to more fundamental understanding.

The Red Herring Management

Use false leads that teach real concepts: - False lead: “Disgruntled employee might be insider threat” - Real lesson: Shows importance of thorough investigation before conclusions - Investigation value: Teaches proper attribution and evidence evaluation

The Collaborative Secret Discovery

Design secrets that require multiple player roles to uncover: - Detective finds technical artifacts - Communicator reveals organizational context through interviews - Crisis Manager connects business pressures to security decisions - Complete secret emerges only when roles collaborate

Session Flow with Secrets and Clues

Discovery Phase Secret Revelation

Opening Hook: Symptoms that hint at deeper problems Question Pattern: “What could cause these specific symptoms?” Secret Revelation: Players discover Surface Secret through collaborative investigation Transition: “Now that we understand how this happened, what’s the impact?”

Investigation Phase Secret Deepening

Scope Questions: “How extensive might this compromise be?” Attribution Questions: “What does this tell us about the attacker?” Secret Revelation: Players uncover Deeper Secrets through persistent investigation Transition: “Understanding the scope, what’s our response strategy?”

Response Phase Secret Application

Strategy Questions: “How do we address the root causes we’ve discovered?” Prevention Questions: “What changes prevent this from happening again?” Secret Application: Response addresses both immediate threat and underlying issues Resolution: Players feel they’ve solved not just the technical problem but the organizational one

The Art of Productive Improvisation

“Yes, And…” for Cybersecurity

The Basic Technique

Player contribution: “I think this might be using DLL sideloading”
Yes, and response: “Yes, that’s exactly the kind of technique this Malmon uses, and that changes how we should approach detection. What would that mean for our investigation?”

Building on Uncertainty

Player: “I’m not sure, but maybe we should check the registry?”
Yes, and: “Yes, the registry is definitely worth checking, and since you mentioned it, what specifically would you look for there?”

When Players Take Unexpected Directions

The Redirect Technique

Let players pursue their interests while maintaining learning objectives:

Player interest: Deep dive into specific exploit techniques
IM response: “That’s fascinating detail. How does understanding that technique help us with our current response strategy?”

The Incorporation Method

Fold unexpected expertise into the scenario:

Unexpected expertise: Player knows about industrial control systems
IM incorporation: “Actually, this organization has some industrial components. How might that change our threat assessment?”

Minimal Notes, Maximum Impact

Your Essential Session Notes

The One-Page Prep Sheet

ORGANIZATION: [Industry/Size/Stakes]
SYMPTOMS: [2-3 observable problems]
MALMON: [Name/Type/Key abilities]
QUESTIONS: [3-5 discovery prompts]
EVOLUTION: [What happens if not contained]

Real-Time Note Taking

Track during session:

Player contributions that drive story
Emerging expertise areas
Group energy and engagement
Natural stopping/transition points

What NOT to Prepare

Detailed technical explanations: Players provide these
Predetermined outcomes: Emerge from group decisions
Complex branching scenarios: Improvise based on player choices
Extensive background materials: Create just-in-time context

Advanced Lazy Techniques

The Expertise Redirect

When asked technical questions beyond your knowledge:
“That’s a great technical question. Who here might have experience with that?”

The Collaborative Discovery

When uncertain about scenario direction:
“This is interesting. How do you think this situation would typically develop?”

The Learning Opportunity Reframe

When making mistakes:
“Actually, let’s think about this differently. What would really happen in this situation?”

Common Lazy IM Pitfalls

Over-Preparing

Problem: Detailed scenarios that ignore player expertise
Solution: Trust that players will create better content than you can plan

Under-Confidence

Problem: Feeling like you need to know everything
Solution: Remember that facilitation skills matter more than technical knowledge

Fighting Player Direction

Problem: Forcing scenarios back to your plan
Solution: Follow player interest and adapt objectives accordingly

Providing Too Much Information

Problem: Answering questions players could figure out
Solution: Turn statements into questions; let players teach each other

The Lazy IM Mindset

Core Beliefs

Players are experts: They know more collectively than you do individually
Questions > Answers: Discovery beats delivery for learning
Scenarios emerge: Best content comes from group collaboration
Mistakes are features: Uncertainty creates teaching moments
Less is more: Minimal prep allows maximum adaptation

Session Success Metrics

A successful lazy IM session:

Players contribute most of the technical content
Group makes meaningful discoveries together
Everyone participates in problem-solving
Learning emerges from collaboration, not lecture
IM asks more questions than they answer

Practical Application

Your First Lazy Session

Choose familiar Malmon: Start with GaboonGrabber or FakeBat
Minimal prep: Use the 5-minute method
Trust the process: Let players drive content discovery
Ask questions: When in doubt, turn it into a discovery prompt
Embrace uncertainty: Use “I don’t know” as a facilitation tool

Building Lazy IM Skills

Practice question patterns: Make them automatic responses
Record sessions: Notice when you provide vs. facilitate discovery
Debrief with players: Ask what worked for their learning
Connect with other IMs: Share lazy techniques and experiences
Embrace the philosophy: Less preparation really does create better sessions

The lazy IM approach transforms cybersecurity education from information delivery to collaborative discovery, creating more engaging, authentic, and effective learning experiences.