Session Preparation: Using Scenario Cards

IM Preparation Quick Reference

📋

Session Prep Guide

IM PREP CHECKLIST

🔄 Preparation Steps

  • Scenario card selection (match group expertise and complexity)
  • Malmon selection (choose threat level and type for group skill level)
  • NPC motivation review (stakeholder concerns and conflicts)
  • Hook internalization (why this attack NOW, practice opening)
  • Pressure timeline review (business deadlines and consequences)
  • Context-driven question preparation (leverage participant expertise)

📦 Required Materials

  • Scenario cards (plus backups)
  • Malmon cards for selected threat
  • Physical d20 dice
  • Network Security Status tracker
  • Role reference cards
  • Blank paper and pens

💡 Pro Tips

Trust the scenario card - it contains everything you need. Your job is facilitation, not expertise. Focus on asking questions that connect to participants' real-world experience

🔧 Common Issues

If scenario doesn't resonate with group expertise, pivot to collaborative context creation using organizational templates from the preparation guides

Transforming M&M Sessions Through Rich Narrative

The M&M Scenario Card system represents a fundamental evolution in cybersecurity education facilitation, transforming sessions from technical exercises into compelling, human-centered learning experiences. This security training platform approach provides comprehensive professional context while leaving technical content to emerge from player expertise, enabling better improvisation and more meaningful learning through incident response tabletop exercise methodologies.

The Integration Philosophy

Enhancing, Not Replacing

Scenario cards build upon the proven M&M framework for gamified incident response training:

  • Core mechanics remain unchanged: Role-based investigation, type effectiveness, evolution triggers
  • Lazy IM philosophy enhanced: Rich backstories enable better improvisation and adaptation for security professional development
  • Question-driven discovery improved: Compelling scenarios generate more meaningful questions for collaborative learning cybersecurity
  • Player expertise leveraged: Realistic organizational contexts connect to professional experience in team-based security training

From Technical to Human-Centered

Traditional Approach: “Your organization has been compromised by GaboonGrabber. Begin investigating.”

Scenario Card Approach: “MedTech Solutions is 72 hours from their biggest client go-live ever. St. Mary’s Hospital is depending on the new EMR system Monday morning. During the final push yesterday, IT staff received ‘critical security updates’ that seemed legitimate given the project pressure. Now systems are failing and the project timeline is at risk.”

The Transformation:

  • Immediate stakes: Players understand what matters and why
  • Compelling timeline: Pressure creates natural urgency without artificial constraints
  • Realistic context: Professional experience connects to scenario elements
  • Rich investigation: Multiple paths and stakeholder perspectives drive discovery

Example Scenario Card

Here’s a complete scenario card to demonstrate the structure:

MedTech Solutions: Healthcare technology, 200 employees
• GaboonGrabber
STAKES
Patient safety data + HIPAA compliance + Life-critical medical device networks
HOOK
MedTech Solutions is in the final week of their largest client implementation, with St. Mary's Hospital going live Monday morning. The attacker has been monitoring email traffic and knows that IT staff are working overtime, making them more likely to click through security warnings to keep the project on track.
PRESSURE
St. Mary's Hospital goes live with new EMR system in 3 days - delays risk patient safety
FRONT • 90 minutes • Intermediate
MedTech Solutions: Healthcare technology, 200 employees
• GaboonGrabber
NPCs
  • Sarah Chen (IT Director): Extremely stressed about hospital go-live, knows about recent security warnings but hasn't investigated thoroughly, primarily concerned about meeting project deadline; Mike Rodriguez (Head Nurse, St. Mary's): Frustrated with EMR training delays, pressuring for system stability, doesn't understand IT security concerns; Jennifer Park (Chief Operating Officer): Unaware of security incident, focused on regulatory compliance, will resist anything that delays client implementation
SECRETS
  • IT department bypassed normal software approval process for 'critical updates' during crunch time, removing key defense layer; Management has been pressuring IT to prioritize 'user experience' over security to improve client satisfaction scores; Attacker specifically targets healthcare implementations knowing security awareness drops during high-pressure project phases

This single card provides everything needed for a rich, 90-minute session: compelling professional context, realistic stakeholder dynamics, and natural investigation paths that connect to participants’ real expertise.

The New IM 30-Minute Scenario Card Preparation

First-Time Facilitator Complete Prep Using Scenario Cards

Minutes 1-5: Essential Materials Preparation

Core Game Materials:

Minutes 6-10: Scenario Card Selection

Choose Based on Group and Learning Objectives:

High-tech group → Technology/Healthcare scenario cards
Mixed group → Healthcare/Financial scenario cards  
Business-focused → Manufacturing/Financial scenario cards
Academic → Municipal/Research scenario cards

Scenario card categories with built-in professional context:

  • GaboonGrabber Cards: Social engineering, trust exploitation, deadline pressure
  • WannaCry Cards: Network propagation, multi-site coordination, rapid response
  • Stuxnet Cards: Critical infrastructure, sophisticated threats, geopolitical context

Scenario Card Examples by Industry

Here are snippet previews showing how different industries and contexts create varied challenges:

St. Mary's Hospital
• LockBit
STAKES
Patient safety systems at risk
HOOK
St. Mary's Hospital is 48 hours from going live with their new patient monitoring system. The evening before the final system migration, IT received urgent security updates that needed immediate installation to meet compliance requirements. Now critical patient monitoring displays are showing error messages and the cardiac unit is reporting intermittent connectivity issues.
PRESSURE
Patient monitoring systems must be fully operational before tomorrow's major surgery schedule
FRONT • 90 minutes • Intermediate
St. Mary's Hospital
• LockBit
NPCs
  • Dr. Sarah Martinez (Chief Medical Officer): Extremely concerned about patient safety implications, demanding immediate resolution; Tom Chen (IT Director): Overwhelmed by simultaneous compliance and security pressures; Lisa Park (Compliance Officer): Focused on regulatory requirements, unaware of security incident scope
SECRETS
  • Hospital bypassed change control procedures to install 'urgent' security updates during critical migration window; Ransomware specifically targets healthcare during system transitions when security awareness is lowest; IT team disabled monitoring tools temporarily to speed up migration process
Sterling & Associates Law
• GaboonGrabber
STAKES
Attorney-client privilege breach
HOOK
Sterling & Associates is preparing for the biggest case in firm history - a class action lawsuit worth $2.8 billion. Yesterday, partners received what appeared to be encrypted case files from opposing counsel, but the 'decryption tool' they downloaded is now causing system slowdowns and suspicious network activity.
PRESSURE
Critical case depositions begin in 72 hours - any compromise of client communications could result in malpractice claims and regulatory sanctions
FRONT • 90 minutes • Intermediate
Sterling & Associates Law
• GaboonGrabber
NPCs
  • Robert Sterling (Senior Partner): Focused solely on case preparation, dismissive of IT concerns; Maria Rodriguez (IT Coordinator): Part-time role, overwhelmed by security incident scope; Jennifer Walsh (Paralegal): Noticed unusual system behavior but afraid to report issues that might delay case preparation
SECRETS
  • Law firm uses outdated email encryption that creates perfect social engineering opportunities; Partners routinely bypass security protocols when receiving 'urgent' case materials; Firm's insurance policy has exclusions for cyber incidents involving client data
AutoTech Manufacturing
• Stuxnet
STAKES
Assembly line shutdown
HOOK
AutoTech Manufacturing is in the final week of their biggest production run for the holiday season. Yesterday, the industrial control systems received what appeared to be critical firmware updates from their equipment vendor. Now robotic assembly arms are showing intermittent errors and quality control sensors are reporting inconsistent readings. Production efficiency has dropped 15% overnight.
PRESSURE
Holiday season orders worth $50M must ship by Friday - any production delays will trigger penalty clauses and damage client relationships
FRONT • 90 minutes • Intermediate
AutoTech Manufacturing
• Stuxnet
NPCs
  • Mike Johnson (Production Manager): Focused on meeting shipping deadlines, wants to ignore 'minor' system issues; Dr. Lisa Chen (Control Systems Engineer): Concerned about equipment calibration anomalies but pressured to keep line running; David Park (Quality Manager): Noting product defects but told to prioritize volume over quality temporarily
SECRETS
  • Manufacturing facility air-gapped networks aren't actually isolated - maintenance laptops regularly bridge networks; Equipment vendor credentials were compromised months ago but updates still appear legitimate; Production bonus incentives create pressure to ignore safety and quality protocols
Municipal Water District
• Stuxnet
STAKES
Public safety systems
HOOK
Municipal Water District serves 250,000 residents across three counties. Last week, SCADA control systems received what appeared to be mandatory security updates from the state regulatory agency. Now water pressure readings are fluctuating unexpectedly and chemical treatment systems are showing calibration errors. The evening shift supervisor noticed automated systems making unauthorized adjustments.
PRESSURE
State health inspection begins Monday morning - any water quality issues could trigger emergency declarations and massive public health response
FRONT • 90 minutes • Intermediate
Municipal Water District
• Stuxnet
NPCs
  • Janet Morrison (District Manager): Balancing regulatory compliance with operational stability, afraid of negative publicity; Carlos Rivera (SCADA Engineer): Noticed unusual system behaviors but management dismisses concerns as 'growing pains' from new updates; Dr. Emily Foster (Water Quality Manager): Seeing concerning chemical balance fluctuations but told they're within acceptable ranges
SECRETS
  • Water treatment facility remote access was enabled 'temporarily' for state inspectors and never disabled; Control systems use default vendor passwords because custom passwords caused operational issues; Backup monitoring systems were taken offline to reduce false alarms during regulatory review period

Each card provides complete context: Hook, Pressure, NPCs, Secrets, Villain Plan

Minutes 11-15: NPC Development and Context Mastery

Master your scenario card’s stakeholders:

Primary NPC Understanding:

  • Role and responsibilities: What they manage day-to-day
  • Core concerns: What keeps them awake at night
  • Success criteria: What a “win” looks like for them
  • Constraints: Why they can’t just “shut everything down”

Stakeholder Dynamics:

  • Competing priorities: Security vs. Operations vs. Compliance
  • Time pressures: Real deadlines creating authentic urgency
  • Information flow: Who reports to whom in crisis
  • Decision authority: Who ultimately makes the call

Minutes 16-20: Hook Mastery and Opening Preparation

Internalize your scenario’s hook:

Professional Context Elements:

  • Industry situation: Context players will immediately recognize
  • Time pressure: Specific business deadline creating urgency
  • Vulnerability creation: Why security was compromised under pressure
  • Current symptoms: What’s happening NOW that demands response

Practice Opening Delivery:

  • “[Organization] is [timeframe] from [critical deadline]…”
  • “During [pressure situation], [stakeholder] approved [security compromise]…”
  • “Now [symptoms] are appearing…”
  • “What would worry you most in this situation?”

Minutes 21-25: Context-Driven Question Development

Prepare scenario-specific questions:

Context Integration Questions:

  • “Given [organization’s situation], what would worry you most?”
  • “In [industry context], who would feel this pressure first?”
  • “How would [primary stakeholder] be thinking about this?”
  • “What makes this timing particularly problematic?”

Stakeholder Perspective Questions:

  • “What would [IT Director] be concerned about right now?”
  • “How would [Business Sponsor] want this handled?”
  • “What would success look like from [stakeholder] perspective?”

Professional Reality Questions:

  • “How would you handle [competing pressures] in your organization?”
  • “What would this response look like in your real workplace?”
  • “Who would you need to coordinate with for this approach?”

Minutes 26-30: Contingency Planning

Backup Plans:

  • Alternative Malmon: If chosen one doesn’t resonate with group
  • Simplified scenario: If group struggles with complexity
  • Extended scenario: If group moves faster than expected
  • Time management: Strategies for running long or short

Emergency Protocols:

  • Silent group: Prepared icebreaker questions
  • Dominated discussion: Techniques for balanced participation
  • Technical disputes: Facilitation methods for conflicting expertise
  • Technology failure: Pen-and-paper alternatives

The Experienced IM 5-Minute Scenario Card Preparation

Streamlined Workflow for Regular Facilitators

Minute 1: Scenario Card Selection

  • Choose card based on group expertise and learning objectives
  • Consider industry match and stakeholder complexity
  • Have backup card from different context ready

Minute 2: Secrets and Clues Preparation

Using the Sly Flourish secrets and clues methodology (see Sly Flourish Principles):

  • Identify core secret: Why did this attack succeed in this organization?
  • Scatter 3-4 clues: Evidence discoverable through different investigation paths
  • Plan revelation: How will each role naturally uncover clues through their expertise?

Minute 3: NPC Motivation Review

  • Quick scan of primary stakeholder concerns and constraints
  • Identify key stakeholder conflicts and competing priorities
  • Review why normal security processes were bypassed

Minute 4: Hook Internalization

  • Practice opening hook delivery connecting context to symptoms
  • Understand why this attack is happening NOW
  • Prepare transition from hook to investigation questions

Minute 5: Pressure Timeline Understanding

  • Review business deadline and why it can’t move
  • Understand escalation stages if threat evolves
  • Prepare authentic urgency without rushing facilitation

Final Steps: Question Preparation and Setup

  • Prepare context-driven discovery questions
  • Materials check: scenario card, dice, tracking sheets
  • Mental transition to facilitator mode

When to Spend More Time

Extend preparation for:

  • Unfamiliar groups: Need more stakeholder dynamic contingency planning
  • New scenario cards: Require deeper professional context review
  • High-stakes sessions: Conference workshops, executive audiences
  • Complex stakeholder dynamics: Multi-authority or regulatory scenarios

Stick to 5 minutes for:

  • Regular groups: Known professional backgrounds and dynamics
  • Familiar scenario cards: Comfortable with context and stakeholders
  • Standard sessions: Normal learning objectives and complexity
  • Confident facilitation: Experience with context-driven questioning

Malmon Selection Decision Trees

Based on Group Composition

High Technical Expertise Groups

Experienced SOC analysts, security engineers, incident responders

Recommended Malmons:
- Stuxnet (if industrial experience present)
- Noodle RAT (advanced persistence concepts)
- LockBit (complex ransomware operations)
- WannaCry (network propagation mechanics)

Avoid:
- GaboonGrabber (too basic)
- FakeBat (obvious techniques)

Mixed Expertise Groups

Combination of technical and business professionals

Recommended Malmons:
- GaboonGrabber (clear concepts, good learning progression)
- Raspberry Robin (tangible USB infection vector)
- Gh0st RAT (classic remote access techniques)
- WireLurker (cross-platform concepts)

Focus on:
- Clear type effectiveness
- Collaborative learning opportunities
- Business impact discussions

Business-Focused Groups

Managers, compliance, risk management, executives

Recommended Malmons:
- FakeBat (clear deception, business impact)
- GaboonGrabber (social engineering focus)
- LockBit (business continuity implications)
- Code Red (historical context, business lessons)

Emphasize:
- Business impact and decision-making
- Communication and coordination
- Risk management perspectives

Based on Learning Objectives

Technical Skill Development

  • WannaCry: Network propagation and patching
  • Stuxnet: Advanced evasion and attribution
  • Noodle RAT: Fileless techniques and persistence
  • Poison Ivy: Classic RAT capabilities

Incident Response Process

  • GaboonGrabber: Full IR lifecycle
  • Raspberry Robin: Containment and forensics
  • Gh0st RAT: Coordination and communication
  • LockBit: Business continuity and recovery

Threat Intelligence and Attribution

  • Stuxnet: Nation-state analysis
  • Gh0st RAT: APT group characteristics
  • LitterDrifter: Geopolitical context
  • Noodle RAT: Campaign tracking

Organization Context Templates

Quick Context Generator

Healthcare Organizations

  • Stakes: Patient safety, HIPAA compliance, operational continuity
  • Critical assets: EMR systems, patient data, medical devices
  • Vulnerabilities: Legacy systems, user convenience, interconnected devices
  • Constraints: Cannot disrupt patient care, strict privacy requirements

Financial Services

  • Stakes: Customer trust, regulatory compliance, financial stability
  • Critical assets: Transaction systems, customer data, trading platforms
  • Vulnerabilities: High-value targets, complex integrations, mobile access
  • Constraints: Regulatory reporting, availability requirements, fraud prevention

Manufacturing/Industrial

  • Stakes: Production continuity, worker safety, competitive advantage
  • Critical assets: Control systems, proprietary processes, supply chain data
  • Vulnerabilities: Air-gapped networks, legacy systems, remote monitoring
  • Constraints: Safety systems, production schedules, physical security

Technology Companies

  • Stakes: Intellectual property, customer data, service availability
  • Critical assets: Source code, customer databases, cloud infrastructure
  • Vulnerabilities: Developer tools, cloud misconfigurations, supply chain
  • Constraints: Rapid development cycles, distributed workforce, scalability

Collaborative Context Creation

Group-Driven Approach

Instead of pre-selecting, let the group decide:

  • “What kind of organization are you protecting today?”
  • “What would be devastating if compromised?”
  • “What makes your organization unique or challenging to secure?”

Benefits:

  • Immediate investment in scenario
  • Authentic expertise application
  • Natural constraints and considerations
  • Real-world relevance

Core Integration Points

Integration with Role-Based Investigation

Enhanced Role Clarity

Scenario cards provide organizational context that makes roles immediately meaningful:

Detective Role:

  • Traditional: “Investigate the compromise”
  • With Scenario Cards: “Sarah (IT Director) needs to understand what happened during the project crunch - interview staff, analyze logs, determine attack timeline”

Protector Role:

  • Traditional: “Identify systems to protect”
  • With Scenario Cards: “Critical hospital systems go live Monday - determine what’s at risk, implement containment without disrupting patient care”

Communicator Role:

  • Traditional: “Coordinate team response”
  • With Scenario Cards: “Hospital CIO is calling hourly demanding updates - manage stakeholder communication while coordinating technical response”

Natural Investigation Paths

NPCs and organizational context create realistic investigation opportunities:

  • Staff interviews reveal social engineering vectors and organizational pressures
  • System dependencies show critical assets and business impact priorities
  • Timeline pressures create realistic constraints on investigation thoroughness
  • Stakeholder concerns drive investigation priorities and communication needs

Integration with Question-Driven Discovery

Enhanced Question Frameworks

Scenario cards provide rich context for more meaningful discovery questions:

Discovery Phase Questions:

  • “Given the pressure [organization] was under, what would make [specific stakeholder] click on suspicious emails?”
  • “How would [business deadline] affect normal security awareness and procedures?”
  • “What organizational factors would make this attack particularly effective at this time?”

Investigation Phase Questions:

  • “If [critical deadline] is missed, what are the real consequences for [specific stakeholders]?”
  • “How would [regulatory requirement] affect your investigation approach and evidence collection?”
  • “What would [key customer/partner] do if they knew about this security incident?”

Response Phase Questions:

  • “Given [specific organizational constraint], what response options are actually feasible?”
  • “How would you manage [stakeholder conflict] while responding to this cybersecurity threat?”
  • “What communication strategy maintains [key relationship] during incident response?”

Contingency Planning

Alternative Scenarios

Backup Malmon Strategy

Always have 2-3 Malmons prepared:

  • Primary choice: Based on group and objectives
  • Simpler backup: If group struggles with complexity
  • Complex alternative: If group advances quickly

Time Management Alternatives

Running Long (Extra 30+ minutes):

  • Extended investigation phase
  • Multiple evolution scenarios
  • Advanced response techniques
  • Detailed debrief and lessons learned

Running Short (30+ minutes remaining):

  • Accelerated discovery phase
  • Combined investigation/response
  • Quick evolution challenge
  • Rapid debrief with key takeaways

Severe Time Constraints (Under 60 minutes):

  • Single-round scenario
  • Focus on one aspect (discovery or response)
  • Mini-session with core concepts
  • Promise follow-up session

Group Dynamic Challenges

Silent Group Protocol

  • Structured icebreakers: “Share one cybersecurity concern”
  • Direct questions: Address individuals by name and role
  • Collaborative tasks: Force interaction through shared problems
  • Lower stakes: Reduce pressure with hypothetical scenarios

Dominated Discussion Management

  • Rotation systems: Ensure everyone speaks before anyone speaks twice
  • Role-specific questions: Direct questions to quiet participants
  • Private coaching: Brief sidebar with dominant speaker
  • Structural solutions: Break into smaller groups

Technical Knowledge Gaps

  • Peer teaching: Connect experts with learners
  • Simplified scenarios: Reduce technical complexity
  • Common sense focus: Emphasize logical thinking over technical knowledge
  • Learning opportunities: Frame gaps as discovery moments

Emergency Protocols

Technology Failures

  • Backup methods: Paper alternatives for all digital tools
  • Simple substitutions: Use coin flips instead of dice apps
  • Manual tracking: Paper Network Security Status tracker
  • Continue regardless: Don’t let technology stop the session

Participant Issues

  • Late arrivals: Quick integration techniques
  • Early departures: Graceful role transitions
  • Disruptive behavior: Professional de-escalation
  • Medical/personal emergencies: Session pause and support protocols

Facilitator Challenges

  • Knowledge gaps: Redirect to group expertise
  • Time pressure: Flexible scenario adaptation
  • Group conflict: Neutral facilitation techniques
  • Personal stress: Breathing techniques and perspective

Pre-Session Checklist

24 Hours Before

1 Hour Before

10 Minutes Before

Example: Following the Method in Practice

Let’s walk through using this method to prepare for a session with a mixed-expertise group.

Group Context

You have 5 participants: an IT manager, a software developer, a compliance officer, a network admin, and a project manager. They work in different organizations but all deal with healthcare technology.

Following the Preparation Activities

Activity 1: Scenario Card Selection

Your thinking: Mixed group with healthcare focus. GaboonGrabber healthcare scenario will resonate - social engineering they can all relate to, technical depth for IT folks, business pressure for managers.

Your choice: GaboonGrabber “MedTech Solutions” scenario card Backup: WannaCry hospital scenario (if they want more technical network focus)

Activity 2: NPC Motivation and Context Review

From the scenario card, you understand:

Sarah (IT Director): Under massive pressure to deliver hospital EMR system on time. Monday go-live cannot be delayed - hospital staff trained, old system being decommissioned. She’s been cutting corners on security approvals because “the project absolutely cannot fail.”

Dr. Martinez (Hospital CIO): Depending on MedTech to deliver Monday. If EMR isn’t ready, hospital operations could be severely disrupted. Patient safety is her primary concern, but she needs the new system.

Mike (MedTech CEO): This contract makes or breaks the company. If St. Mary’s cancels, MedTech loses credibility and probably goes under. He’s been pushing everyone to “do whatever it takes.”

Competing priorities: Security vs. delivery timeline vs. patient safety vs. business survival.

Activity 3: Hook Internalization and Opening

Your opening: “MedTech Solutions is 72 hours from their biggest client go-live ever. St. Mary’s Hospital has trained 200 staff members and is shutting down their old EMR system Sunday night. The new system absolutely must work Monday morning for patient safety. Yesterday, during the final integration push, IT staff received ‘critical security updates’ from what looked like Microsoft. Under pressure to keep the project on track, they approved the updates immediately. Now systems are running 30% slower and help desk is getting calls about pop-ups. What would worry you most in this situation?”

Activity 4: Pressure Timeline and Evolution Planning

Business deadline: Monday morning hospital go-live - immovable because:

  • 200 hospital staff already trained on new system
  • Old EMR being decommissioned Sunday night
  • Patient care depends on working system Monday

If threat evolves:

  • Stage 1: Performance issues (current)
  • Stage 2: Data exfiltration and system corruption
  • Stage 3: Complete system failure Sunday night, hospital cannot treat patients Monday

Activity 5: Question Preparation and Materials Setup

Your prepared questions:

  • “Given the project pressure MedTech was under, what would make IT staff click on security updates without proper verification?”
  • “If this system fails Monday morning, what happens to patient care at St. Mary’s?”
  • “How would you balance cybersecurity response with the absolute need to have systems working in 72 hours?”
  • “What would Sarah (IT Director) be most afraid of - the cyberattack or missing the deadline?”

Materials ready: GaboonGrabber malmon card, scenario card, dice, whiteboard markers, participant name tags.

What This Preparation Achieves

Immediate engagement: Players understand the stakes before you even explain the technical threat.

Professional relevance: Everyone has experienced project pressure and stakeholder conflicts.

Natural investigation paths:

  • IT Manager: “I need to understand what these updates actually did”
  • Developer: “How do we fix this without breaking the go-live?”
  • Compliance Officer: “What are our reporting requirements if patient data is at risk?”
  • Network Admin: “I want to trace what network connections these updates made”
  • Project Manager: “How do we coordinate response while maintaining the timeline?”

Rich facilitation opportunities: You can represent Sarah’s desperation, Dr. Martinez’s patient safety concerns, and Mike’s business survival fears to create realistic tension and decision-making pressure.

Multiple learning outcomes: Social engineering awareness, incident response coordination, business-security balance, stakeholder management under pressure.

During the Session

Your job becomes easy because the scenario card provides:

  • Context players immediately understand
  • Stakeholders you can role-play naturally
  • Business pressure that creates realistic urgency
  • Multiple investigation angles for different expertise
  • Authentic decision-making dilemmas

Instead of lecturing about GaboonGrabber techniques, you ask: “Given what you’ve found, what would worry you about this ‘security update’ from Sarah’s perspective?”

Players discover the technical details while you facilitate the human drama.

Post-Preparation Mindset

Confidence Building

Remember:

  • Preparation is foundation, not script: Be ready to adapt
  • Players provide content: Your job is facilitation, not information delivery
  • Mistakes are learning: Both for you and participants
  • Questions > answers: When in doubt, ask the group
  • Success is participation: Everyone contributing meaningfully

Session Success Indicators

A well-prepared session typically includes:

Practical Integration Workflows

Scenario Card Selection Process

Matching Cards to Groups

Step 1: Assess Group Composition

  • Experience Level: Beginner → GaboonGrabber scenarios; Advanced → Stuxnet scenarios
  • Professional Background: Healthcare → Medical scenarios; Finance → Banking scenarios
  • Learning Objectives: Social engineering → Trojan scenarios; Network security → Worm scenarios

Step 2: Review Adaptation Notes Each scenario card includes specific guidance for:

  • High-expertise groups: Additional complexity and advanced concepts
  • Beginner groups: Simplification strategies and concept focus
  • Time constraints: Compression options and priority elements

Step 3: Customize for Context

  • Industry familiarity: Adapt organizational details to match group experience
  • Current events: Connect scenario timing to relevant news or industry trends
  • Group interests: Emphasize aspects that align with participant professional concerns

Troubleshooting Integration Challenges

When Scenario Cards Feel Overwhelming

Simplification Strategies - Focus on Core Elements:

  • Hook: Why this is happening now
  • Pressure: What creates urgency
  • NPCs: 2-3 key stakeholders maximum
  • Secrets: 1-2 organizational factors that enabled attack

Adaptation Approach:

  • Use scenario cards as inspiration rather than rigid scripts
  • Select elements that serve your learning objectives
  • Ignore complexity that doesn’t add value for your specific group
  • Trust the “lazy IM” philosophy - good enough preparation with rich context beats perfect preparation with rigid structure

When Group Doesn’t Connect to Scenario Context

Quick Adaptation Techniques:

  • Industry Swap: Change from healthcare to technology, finance to manufacturing
  • Scale Adjustment: Adjust organization size and complexity
  • Stakeholder Modification: Replace NPCs with roles familiar to your group
  • Context Simplification: Focus on universal business pressures rather than industry-specific details

Collaborative Fixes:

  • Ask group to suggest organizational context they find more relevant
  • Let participants modify NPCs to match their professional experience
  • Encourage group to adapt scenario elements during session
  • Use “yes, and…” techniques to incorporate participant suggestions

The goal of scenario card preparation is confident flexibility - ready for anything while attached to nothing. Scenario cards enhance the “lazy IM” philosophy by providing rich context that enables better improvisation, not rigid scripts that constrain adaptation.