Practical Facilitation Techniques

The Question Arsenal

Effective facilitation depends on asking the right questions at the right time. This chapter provides a comprehensive toolkit of questions, techniques, and responses for real-time session management.

Universal Discovery Questions

Opening Investigation Questions

These work for any Malmon and expertise level:

“What’s the first thing that would seem unusual here?”
“Who in your organization would typically notice these problems first?”
“What pattern suggests this isn’t a normal technical issue?”
“Based on your experience, what would worry you most about this situation?”
“What would be your first instinct when hearing these symptoms?”
“How would this compare to problems you’ve seen before?”

Evidence Analysis Questions

When players find clues but need to interpret them:

“What does this evidence tell us about our adversary?”
“How does this connect to what we found earlier?”
“What would someone with malicious intent do with this access?”
“If you were the attacker, what would your next move be?”
“What’s the significance of the timing here?”
“What does the sophistication level suggest?”

Pattern Recognition Questions

Help groups connect disparate clues:

“What’s the common thread between these different findings?”
“How do these pieces fit together into a single story?”
“What type of threat typically combines these techniques?”
“What does the combination of [A] and [B] usually indicate?”
“If this is all connected, what would that mean?”

Investigation Phase Question Bank

Impact Assessment Questions

For understanding scope and damage:

“What’s the worst-case scenario if this continues unchecked?”
“What would be most valuable to an attacker in this environment?”
“How would this affect your organization’s core mission?”
“What regulatory or compliance implications are you seeing?”
“Who would be most affected if this data is compromised?”
“What systems absolutely cannot be taken offline?”

Technical Deep-Dive Questions

When groups need to explore technical aspects:

“What tools would help you investigate this further?”
“How would you typically approach this type of analysis?”
“What indicators would confirm your suspicions?”
“What would you need to prove this theory?”
“How would you test whether [solution] would work?”
“What’s the technical explanation for what we’re seeing?”

Attack Vector Questions

For understanding how threats succeeded:

“How might this have gotten past your existing defenses?”
“What vulnerabilities enabled this attack?”
“Why would this technique be effective in this environment?”
“What would have had to happen for this to succeed?”
“How could this have been prevented?”
“What assumptions did the attacker make about your environment?”

Response Phase Question Bank

Strategy Development Questions

For coordinating team responses:

“What’s your biggest constraint in responding to this?”
“How would you prioritize your response actions?”
“What could go wrong with this approach?”
“How do we balance speed with thoroughness?”
“What resources would you need to implement this?”
“How would you coordinate this in your real organization?”

Risk Assessment Questions

For evaluating response options:

“What’s the risk of taking this action versus not taking it?”
“What collateral damage might this response cause?”
“How do we minimize disruption while containing the threat?”
“What happens if this response fails?”
“How do we maintain business operations during response?”
“What stakeholders need to be informed about this decision?”

Coordination Questions

For managing team dynamics during crisis:

“How do your individual actions support the overall strategy?”
“Who needs to know what, and when?”
“How do we ensure we’re not working against each other?”
“What communication is essential versus what creates noise?”
“How do we track progress across all response activities?”
“What decisions require team consensus versus individual expertise?”

Managing Group Dynamics

Encouraging Quiet Participants

Direct Engagement Techniques

Role-specific questions: “As our [role], what’s your perspective on this?”
Expertise validation: “Given your background in [area], what would you try?”
Opinion seeking: “What’s your gut feeling about this situation?”
Experience mining: “Have you seen anything similar in your work?”

Indirect Inclusion Methods

Turn to neighbor: “Discuss with the person next to you, then we’ll hear thoughts”
Written first: “Jot down your thoughts, then we’ll share”
Choice offering: “Here are three options - which appeals to you and why?”
Build on others: “What would you add to what [name] just said?”

Confidence Building Approaches

Lower stakes questions: “What questions would you want to ask about this?”
Common sense focus: “Even without technical expertise, what seems off here?”
Future thinking: “What would you want to learn more about after this?”
Validation offering: “That’s exactly the kind of thinking we need”

Managing Dominant Participants

Gentle Redirection Techniques

Acknowledge then redirect: “That’s valuable insight. Let’s hear other perspectives.”
Time boxing: “Thanks for that detail. In the interest of time, let’s hear from others.”
Role switching: “Can you help facilitate input from the rest of the team?”
Question redirection: “What questions does that raise for others?”

Structural Solutions

Rotation systems: “Let’s go around and hear one thought from everyone”
Role assignments: Give dominant participants teaching or coordination roles
Small groups: Break into pairs or triads for discussion
Written contributions: Have everyone write thoughts before verbal sharing

Private Conversation Approaches

During natural breaks:

“Your expertise is really valuable. Can you help me draw out others’ insights too?”
“I notice you have a lot to contribute. How can we make space for everyone?”
“Would you mind holding back a bit so we can encourage others to participate?”

Building Psychological Safety

Creating Safe Learning Environment

Normalize uncertainty: “Not knowing is normal in incident response”
Validate attempts: *“Good thinking” even when answers aren’t perfect
Share your own uncertainty: “I don’t know that either - let’s figure it out together”
Reframe mistakes: “That’s exactly the kind of question real incident responders ask”

Encouraging Risk-Taking

Model vulnerability: “I’m not sure about this either”
Celebrate attempts: “I appreciate you thinking out loud”
Use hypotheticals: “What if we tried…” instead of “We should…”
Focus on learning: “What can we learn from this approach?”

Handling Technical Knowledge Gaps

When Nobody Knows the Answer

The Progressive Revelation Technique

Step 1: Simplify the Question Original: “How would you detect advanced persistent threats?” Simplified: “How would you notice something that’s trying to hide in your network?”

Step 2: Provide Context Clues “Think about it this way - if someone was living in your house secretly, what might give them away?”

Step 3: Multiple Choice Framework “Would you be more concerned about: A) New files appearing, B) Unusual network traffic, or C) Strange user behavior?”

Step 4: Collaborative Discovery “Let’s think through this together. What would be the signs?”

Step 5: Direct Teaching (Last Resort) “This is a great learning moment. Security professionals typically look for…”

Common Sense Bridge Technique

Start with logic: “Using common sense, what would worry you?”
Use analogies: “This is like [familiar situation]”
Focus on impact: “What would be the business consequences?”
Ask about feelings: “What makes you uncomfortable about this situation?”

When Information is Incorrect

Gentle Correction Methods

Question back: “Can you walk me through that reasoning?”
Seek clarification: “Help me understand how that would work”
Offer alternatives: “What about this other possibility?”
Group validation: “What do others think about that approach?”

Learning from Errors

Explore the thinking: “That’s interesting logic - let’s see where it leads”
Compare approaches: “How does that compare to [alternative]?”
Real-world check: “How would that work in your actual environment?”
Use as teaching moment: “This highlights an important distinction…”

Bridging Expertise Gaps

Expert-to-Beginner Translation

When experts use complex terminology:

“Can you explain that in terms [beginner] would understand?”
“What’s the business impact of what you just described?”
“How would you explain that to your CEO?”
“What’s the simple version of that concept?”

Encouraging Peer Teaching

“[Expert], can you help the team understand [concept]?”
“Who here can break down what [complex thing] means?”
“Let’s have [expert] teach us about [topic]”
“Can someone translate that technical detail for the group?”

Reading the Room and Adapting

Energy Level Assessment

High Engagement Indicators

Active discussion and debate
Building on each other’s ideas
Asking clarifying questions
Leaning forward, eye contact
Time seems to pass quickly

Response: Maintain pace, dive deeper into technical details, encourage debate

Medium Engagement Indicators

Some participation with prompting
Polite attention but limited initiative
Following along but not contributing
Checking time occasionally

Response: Inject urgency, ask direct questions, change pace or approach

Low Engagement Indicators

Minimal response to questions
Checking phones or laptops
Side conversations
Slumped posture, wandering attention
Frequent time checking

Response: Emergency engagement protocols, break activity, refocus on stakes

Adaptive Difficulty Management

Increasing Difficulty Mid-Session

When group advances quickly:

Add complexity to scenarios
Introduce multiple attack vectors
Explore advanced techniques
Challenge assumptions
Add time pressure

Decreasing Difficulty Mid-Session

When group struggles:

Simplify terminology
Provide more guidance
Focus on core concepts
Use more analogies
Reduce scope

Real-Time Assessment Questions

“How are we doing on complexity level?”
“Should we dive deeper or move on?”
“Is this hitting the right level of challenge?”
“What would be most valuable to explore further?”

Cultural and Communication Adaptation

Diverse Group Management

Check understanding: “Does this make sense to everyone?”
Invite perspectives: “How would this work in your organization/country?”
Cultural sensitivity: Be aware of different communication styles
Language barriers: Use simple, clear language and check comprehension

Mixed Experience Levels

Expert involvement: “Can you help others understand this concept?”
Beginner inclusion: “What questions does this raise for you?”
Experience sharing: “Who’s dealt with something similar?”
Learning partnerships: Pair experts with beginners

Advanced Facilitation Techniques

Building Dramatic Tension

Escalation Techniques

Time pressure: “You have 10 minutes before the attack spreads”
Stakes raising: “Customer data is being stolen right now”
Complication introduction: “Just as you think you have it contained…”
Choice consequences: “This decision will determine whether…”

Suspense Building

Cliffhanger moments: End phases with unresolved tension
Gradual revelation: Release information piece by piece
Multiple threats: Suggest additional hidden dangers
Personal stakes: Connect to character motivations

Improvisation and Adaptation

When Scenarios Go Sideways

Follow player interest: Their direction often leads to better learning
Incorporate unexpected elements: Use player contributions to evolve scenario
Maintain core objectives: Guide back to key learning goals
Document insights: Capture unexpected discoveries for future sessions

Creative Problem-Solving Encouragement

Yes, and… Build on creative suggestions
What if… Explore unconventional approaches
Challenge assumptions: “What if the obvious answer is wrong?”
Encourage experimentation: “Let’s try that and see what happens”

Seamless Transition Management

Between Phases

Energy maintenance: Keep momentum between rounds
Clear objectives: Make new goals explicit
Stakes evolution: Escalate tension appropriately
Progress acknowledgment: Celebrate discoveries and progress

Between Activities

Smooth handoffs: Connect current activity to next
Participation shifts: Ensure everyone stays engaged
Focus management: Help group shift attention smoothly
Time awareness: Keep group informed of schedule

Emergency Facilitation Protocols

When Groups Get Completely Stuck

Circuit Breaker Techniques

Change perspective: “Let’s approach this from a different angle”
Lower stakes: “What if resources were unlimited?”
Role switch: “What would [different role] do here?”
Break it down: “What’s the simplest first step?”

Reset Strategies

Step back: “Let’s recap what we know for certain”
Refocus: “What’s the most important thing to figure out right now?”
Simplify: “If you had to pick just one action, what would it be?”
Time jump: “Fast forward - what does success look like?”

When Conflict Arises

Technical Disagreements

Acknowledge both sides: “Both approaches have merit”
Focus on context: “In our specific situation, which would work better?”
Use constraints: “Given our time/resource limits, what’s most practical?”
Learn from disagreement: “This is exactly what real teams debate”

Personality Conflicts

Redirect to task: “Let’s focus on solving the incident”
Acknowledge emotions: “I can see this is important to both of you”
Use roles: “From your role perspective, what would you recommend?”
Private intervention: Brief sidebar conversations if needed

When Technology Fails

Backup Facilitation Methods

Paper alternatives: Have analog versions of all digital tools
Verbal tracking: Use group memory for status tracking
Whiteboard substitution: Visual tools for complex scenarios
Continue regardless: Don’t let technology stop learning

Scenario Card Preparation Method

The 5-Minute Scenario Card Prep

Most experienced IMs can prepare for any session using scenario cards in just 5 minutes:

Minute 1: Card Selection (60 seconds)

Choose based on group expertise and industry context
Quick scan: Hook, Pressure, NPCs, Secrets, Villain Plan

Minute 2: NPC Motivation Review (60 seconds)

Identify primary stakeholder (IT Director, Hospital CIO, etc.)
Understand their immediate concerns and constraints
Note competing priorities and pressure sources

Minute 3: Hook Internalization (60 seconds)

Understand WHY this attack is happening NOW
Connect to realistic business pressures and deadlines
Prepare opening hook: “Organization X is 72 hours from critical deadline Y…”

Minute 4: Pressure Timeline Review (60 seconds)

Understand business deadline and consequences
Map escalation stages if threat evolves
Balance urgency with realistic response time

Minute 5: Question Preparation (60 seconds)

Prepare context-driven discovery questions
Focus on stakeholder perspectives: “What would worry you most?”
Trust scenario card details, facilitate discovery over lecturing

Why Scenario Cards Work

Rich Context Pre-Built: - Organizational situations participants recognize professionally
- Authentic business constraints and stakeholder pressures - Realistic technical vulnerabilities and attack progression

95% Content Reuse: - Core technical content identical across scenarios - Only organizational details change (company names, deadlines, NPCs) - Allows focus on facilitation rather than content generation

Professional Authenticity: - Industry-specific pressure situations - Realistic stakeholder dynamics and competing priorities - Natural investigation starting points and discovery paths

Emergency Shortcuts

2-Minute Panic Prep: - Grab most familiar scenario card - Read hook and primary stakeholder motivation
- Trust the card, ask context questions, let them discover

1-Minute Crisis Prep: - Pick any scenario card - Read the hook aloud as written - Ask: “What would worry you most in this situation?”

Key Principle: Scenario cards contain everything needed. Your job is facilitation, not expertise demonstration.

The key to practical facilitation is building a toolkit of responses that become automatic, allowing you to focus on reading the group and adapting to their needs in real-time.