Practical Facilitation Techniques

The Question Arsenal

Effective facilitation depends on asking the right questions at the right time. This chapter provides a comprehensive toolkit of questions, techniques, and responses for real-time session management.

Universal Discovery Questions

Opening Investigation Questions

These work for any Malmon and expertise level:

• “What’s the first thing that would seem unusual here?”
• “Who in your organization would typically notice these problems first?”
• “What pattern suggests this isn’t a normal technical issue?”
• “Based on your experience, what would worry you most about this situation?”
• “What would be your first instinct when hearing these symptoms?”
• “How would this compare to problems you’ve seen before?”

Evidence Analysis Questions

When players find clues but need to interpret them:

• “What does this evidence tell us about our adversary?”
• “How does this connect to what we found earlier?”
• “What would someone with malicious intent do with this access?”
• “If you were the attacker, what would your next move be?”
• “What’s the significance of the timing here?”
• “What does the sophistication level suggest?”

Pattern Recognition Questions

Help groups connect disparate clues:

• “What’s the common thread between these different findings?”
• “How do these pieces fit together into a single story?”
• “What type of threat typically combines these techniques?”
• “What does the combination of [A] and [B] usually indicate?”
• “If this is all connected, what would that mean?”

Investigation Phase Question Bank

Impact Assessment Questions

For understanding scope and damage:

• “What’s the worst-case scenario if this continues unchecked?”
• “What would be most valuable to an attacker in this environment?”
• “How would this affect your organization’s core mission?”
• “What regulatory or compliance implications are you seeing?”
• “Who would be most affected if this data is compromised?”
• “What systems absolutely cannot be taken offline?”

Technical Deep-Dive Questions

When groups need to explore technical aspects:

• “What tools would help you investigate this further?”
• “How would you typically approach this type of analysis?”
• “What indicators would confirm your suspicions?”
• “What would you need to prove this theory?”
• “How would you test whether [solution] would work?”
• “What’s the technical explanation for what we’re seeing?”

Attack Vector Questions

For understanding how threats succeeded:

• “How might this have gotten past your existing defenses?”
• “What vulnerabilities enabled this attack?”
• “Why would this technique be effective in this environment?”
• “What would have had to happen for this to succeed?”
• “How could this have been prevented?”
• “What assumptions did the attacker make about your environment?”

Response Phase Question Bank

Strategy Development Questions

For coordinating team responses:

• “What’s your biggest constraint in responding to this?”
• “How would you prioritize your response actions?”
• “What could go wrong with this approach?”
• “How do we balance speed with thoroughness?”
• “What resources would you need to implement this?”
• “How would you coordinate this in your real organization?”

Risk Assessment Questions

For evaluating response options:

• “What’s the risk of taking this action versus not taking it?”
• “What collateral damage might this response cause?”
• “How do we minimize disruption while containing the threat?”
• “What happens if this response fails?”
• “How do we maintain business operations during response?”
• “What stakeholders need to be informed about this decision?”

Coordination Questions

For managing team dynamics during crisis:

• “How do your individual actions support the overall strategy?”
• “Who needs to know what, and when?”
• “How do we ensure we’re not working against each other?”
• “What communication is essential versus what creates noise?”
• “How do we track progress across all response activities?”
• “What decisions require team consensus versus individual expertise?”

Managing Group Dynamics

Encouraging Quiet Participants

Direct Engagement Techniques

• Role-specific questions: “As our [role], what’s your perspective on this?”
• Expertise validation: “Given your background in [area], what would you try?”
• Opinion seeking: “What’s your gut feeling about this situation?”
• Experience mining: “Have you seen anything similar in your work?”

Indirect Inclusion Methods

• Turn to neighbor: “Discuss with the person next to you, then we’ll hear thoughts”
• Written first: “Jot down your thoughts, then we’ll share”
• Choice offering: “Here are three options - which appeals to you and why?”
• Build on others: “What would you add to what [name] just said?”

Confidence Building Approaches

• Lower stakes questions: “What questions would you want to ask about this?”
• Common sense focus: “Even without technical expertise, what seems off here?”
• Future thinking: “What would you want to learn more about after this?”
• Validation offering: “That’s exactly the kind of thinking we need”

Managing Dominant Participants

Gentle Redirection Techniques

• Acknowledge then redirect: “That’s valuable insight. Let’s hear other perspectives.”
• Time boxing: “Thanks for that detail. In the interest of time, let’s hear from others.”
• Role switching: “Can you help facilitate input from the rest of the team?”
• Question redirection: “What questions does that raise for others?”

Structural Solutions

• Rotation systems: “Let’s go around and hear one thought from everyone”
• Role assignments: Give dominant participants teaching or coordination roles
• Small groups: Break into pairs or triads for discussion
• Written contributions: Have everyone write thoughts before verbal sharing

Private Conversation Approaches

During natural breaks:

• “Your expertise is really valuable. Can you help me draw out others’ insights too?”
• “I notice you have a lot to contribute. How can we make space for everyone?”
• “Would you mind holding back a bit so we can encourage others to participate?”

Building Psychological Safety

Creating Safe Learning Environment

• Normalize uncertainty: “Not knowing is normal in incident response”
• Validate attempts: *“Good thinking” even when answers aren’t perfect
• Share your own uncertainty: “I don’t know that either - let’s figure it out together”
• Reframe mistakes: “That’s exactly the kind of question real incident responders ask”

Encouraging Risk-Taking

• Model vulnerability: “I’m not sure about this either”
• Celebrate attempts: “I appreciate you thinking out loud”
• Use hypotheticals: “What if we tried…” instead of “We should…”
• Focus on learning: “What can we learn from this approach?”

Handling Technical Knowledge Gaps

When Nobody Knows the Answer

The Progressive Revelation Technique

Step 1: Simplify the Question Original: “How would you detect advanced persistent threats?” Simplified: “How would you notice something that’s trying to hide in your network?”

Step 2: Provide Context Clues “Think about it this way - if someone was living in your house secretly, what might give them away?”

Step 3: Multiple Choice Framework “Would you be more concerned about: A) New files appearing, B) Unusual network traffic, or C) Strange user behavior?”

Step 4: Collaborative Discovery “Let’s think through this together. What would be the signs?”

Step 5: Direct Teaching (Last Resort) “This is a great learning moment. Security professionals typically look for…”

Common Sense Bridge Technique

• Start with logic: “Using common sense, what would worry you?”
• Use analogies: “This is like [familiar situation]”
• Focus on impact: “What would be the business consequences?”
• Ask about feelings: “What makes you uncomfortable about this situation?”

When Information is Incorrect

Gentle Correction Methods

• Question back: “Can you walk me through that reasoning?”
• Seek clarification: “Help me understand how that would work”
• Offer alternatives: “What about this other possibility?”
• Group validation: “What do others think about that approach?”

Learning from Errors

• Explore the thinking: “That’s interesting logic - let’s see where it leads”
• Compare approaches: “How does that compare to [alternative]?”
• Real-world check: “How would that work in your actual environment?”
• Use as teaching moment: “This highlights an important distinction…”

Bridging Expertise Gaps

Expert-to-Beginner Translation

When experts use complex terminology:

• “Can you explain that in terms [beginner] would understand?”
• “What’s the business impact of what you just described?”
• “How would you explain that to your CEO?”
• “What’s the simple version of that concept?”

Encouraging Peer Teaching

• “[Expert], can you help the team understand [concept]?”
• “Who here can break down what [complex thing] means?”
• “Let’s have [expert] teach us about [topic]”
• “Can someone translate that technical detail for the group?”

Reading the Room and Adapting

Energy Level Assessment

High Engagement Indicators

• Active discussion and debate
• Building on each other’s ideas
• Asking clarifying questions
• Leaning forward, eye contact
• Time seems to pass quickly

Response: Maintain pace, dive deeper into technical details, encourage debate

Medium Engagement Indicators

• Some participation with prompting
• Polite attention but limited initiative
• Following along but not contributing
• Checking time occasionally

Response: Inject urgency, ask direct questions, change pace or approach

Low Engagement Indicators

• Minimal response to questions
• Checking phones or laptops
• Side conversations
• Slumped posture, wandering attention
• Frequent time checking

Response: Emergency engagement protocols, break activity, refocus on stakes

Adaptive Difficulty Management

Increasing Difficulty Mid-Session

When group advances quickly:

• Add complexity to scenarios
• Introduce multiple attack vectors
• Explore advanced techniques
• Challenge assumptions
• Add time pressure

Decreasing Difficulty Mid-Session

When group struggles:

• Simplify terminology
• Provide more guidance
• Focus on core concepts
• Use more analogies
• Reduce scope

Real-Time Assessment Questions

• “How are we doing on complexity level?”
• “Should we dive deeper or move on?”
• “Is this hitting the right level of challenge?”
• “What would be most valuable to explore further?”

Cultural and Communication Adaptation

Diverse Group Management

• Check understanding: “Does this make sense to everyone?”
• Invite perspectives: “How would this work in your organization/country?”
• Cultural sensitivity: Be aware of different communication styles
• Language barriers: Use simple, clear language and check comprehension

Mixed Experience Levels

• Expert involvement: “Can you help others understand this concept?”
• Beginner inclusion: “What questions does this raise for you?”
• Experience sharing: “Who’s dealt with something similar?”
• Learning partnerships: Pair experts with beginners

Advanced Facilitation Techniques

Building Dramatic Tension

Escalation Techniques

• Time pressure: “You have 10 minutes before the attack spreads”
• Stakes raising: “Customer data is being stolen right now”
• Complication introduction: “Just as you think you have it contained…”
• Choice consequences: “This decision will determine whether…”

Suspense Building

• Cliffhanger moments: End phases with unresolved tension
• Gradual revelation: Release information piece by piece
• Multiple threats: Suggest additional hidden dangers
• Personal stakes: Connect to character motivations

Improvisation and Adaptation

When Scenarios Go Sideways

• Follow player interest: Their direction often leads to better learning
• Incorporate unexpected elements: Use player contributions to evolve scenario
• Maintain core objectives: Guide back to key learning goals
• Document insights: Capture unexpected discoveries for future sessions

Creative Problem-Solving Encouragement

• Yes, and… Build on creative suggestions
• What if… Explore unconventional approaches
• Challenge assumptions: “What if the obvious answer is wrong?”
• Encourage experimentation: “Let’s try that and see what happens”

Seamless Transition Management

Between Phases

• Energy maintenance: Keep momentum between rounds
• Clear objectives: Make new goals explicit
• Stakes evolution: Escalate tension appropriately
• Progress acknowledgment: Celebrate discoveries and progress

Between Activities

• Smooth handoffs: Connect current activity to next
• Participation shifts: Ensure everyone stays engaged
• Focus management: Help group shift attention smoothly
• Time awareness: Keep group informed of schedule

Emergency Facilitation Protocols

When Groups Get Completely Stuck

Circuit Breaker Techniques

• Change perspective: “Let’s approach this from a different angle”
• Lower stakes: “What if resources were unlimited?”
• Role switch: “What would [different role] do here?”
• Break it down: “What’s the simplest first step?”

Reset Strategies

• Step back: “Let’s recap what we know for certain”
• Refocus: “What’s the most important thing to figure out right now?”
• Simplify: “If you had to pick just one action, what would it be?”
• Time jump: “Fast forward - what does success look like?”

When Conflict Arises

Technical Disagreements

• Acknowledge both sides: “Both approaches have merit”
• Focus on context: “In our specific situation, which would work better?”
• Use constraints: “Given our time/resource limits, what’s most practical?”
• Learn from disagreement: “This is exactly what real teams debate”

Personality Conflicts

• Redirect to task: “Let’s focus on solving the incident”
• Acknowledge emotions: “I can see this is important to both of you”
• Use roles: “From your role perspective, what would you recommend?”
• Private intervention: Brief sidebar conversations if needed

When Technology Fails

Backup Facilitation Methods

• Paper alternatives: Have analog versions of all digital tools
• Verbal tracking: Use group memory for status tracking
• Whiteboard substitution: Visual tools for complex scenarios
• Continue regardless: Don’t let technology stop learning

Success Indicators and Troubleshooting

Session Success Metrics

Engagement Indicators

• Everyone contributes meaningfully
• Questions generate more discussion than answers
• Players build on each other’s ideas
• Time feels like it passes quickly
• Group wants to continue or play again

Learning Indicators

• Technical concepts emerge from group discussion
• Players connect game concepts to real work
• Misconceptions get corrected through peer interaction
• New insights emerge from collaboration
• Confidence in cybersecurity concepts increases

Common Problems and Solutions

Problem: Group Won’t Engage

Solutions:

• Lower stakes questions
• Direct individual attention
• Change physical arrangement
• Inject urgency or humor
• Break into smaller groups

Problem: Too Much Technical Detail

Solutions:

• Redirect to big picture
• Ask about business impact
• Use time pressure to prioritize
• Focus on decisions rather than details
• Acknowledge expertise but maintain pace

Problem: Not Enough Technical Depth

Solutions:

• Ask follow-up questions
• Encourage expert elaboration
• Dive into specific techniques
• Explore alternative approaches
• Connect to real-world tools and methods

Problem: Time Management Issues

Solutions:

• Flexible scenario adaptation
• Priority-based decision making
• Efficient transition techniques
• Strategic time allocation
• Emergency pacing protocols

Implementing Degrees of Success

The degrees of success framework provides sophisticated outcome resolution that creates more engaging and realistic incident response scenarios than simple success/failure mechanics.

Understanding the Four Degrees

Critical Success (Natural 20 or exceeds target by 8+)

When to Award:

• Player demonstrates exceptional cybersecurity knowledge
• Creative solution that addresses multiple problems simultaneously
  
• Team coordination that elevates everyone’s contribution
• Real-world expertise that enhances the scenario’s authenticity

How to Narrate:

• “Not only does your analysis identify the malware family, but you also recognize the specific campaign and can predict the attacker’s next moves…”
• “Your network isolation is so well-executed that it actually improves your overall security posture…”
• “Your communication is so clear that it aligns the entire organization behind the response effort…”

Additional Benefits to Consider:

• Bonus information about threat actor tactics
• Enhanced team coordination for the next round
• Reduced time pressure or evolution risk
• Improved Network Security Status beyond normal success

Full Success (Meets or beats target)

When to Award:

• Standard professional competence with appropriate tools and knowledge
• Good teamwork that achieves stated objectives
• Realistic approach that would work in actual incident response
• Demonstration of cybersecurity best practices

How to Narrate:

• “Your forensic analysis confirms the malware type and provides the evidence you need…”
• “The containment measures successfully isolate the affected systems…”
• “Your stakeholder communication keeps leadership informed and supportive…”

Standard Outcomes:

• Action achieves its intended purpose
• Team progresses toward resolution
• No complications from the action itself
• Network Security Status changes as expected

Partial Success (1-3 points below target)

Most Important for Learning:

Partial successes create the most educational moments because they simulate real-world incident response complexity.

When to Award:

• Approach is sound but execution has minor issues
• External factors complicate otherwise good decisions
• Time pressure forces trade-offs between competing priorities
• Resource constraints limit optimal solutions

How to Narrate:

• “Your network monitoring detects the malware’s communication, but the traffic is encrypted and you can only see connection patterns…”
• “The executive briefing goes well, but the CFO raises budget concerns that could complicate your response…”
• “You successfully contain the threat on most systems, but one critical database server remains accessible to avoid disrupting operations…”

Creating Follow-Up Opportunities:

• Partial success should lead to additional actions or choices
• Give players options for how to address complications
• Use partial outcomes to generate team discussion about priorities
• Connect complications to real incident response challenges

Example Partial Success Complications:

• Technical: Solution works but creates new vulnerabilities or monitoring gaps
• Organizational: Action succeeds but creates political or business complications
• Temporal: Success achieved but takes longer than expected, increasing evolution risk
• Resource: Solution works but consumes more budget/personnel than planned

Failure (4+ points below target)

Educational Approach to Failure: Frame failures as learning opportunities rather than narrative dead ends.

When to Award:

• Approach demonstrates fundamental misunderstanding
• Action attempts something beyond current capabilities
• Dice result represents environmental factors beyond player control
• Teaching moment about incident response limitations

How to Narrate Constructively:

• “The malware proves more sophisticated than expected - your standard analysis tools aren’t revealing its full capabilities…”
• “The containment attempt fails when you discover the threat has already established persistence mechanisms you hadn’t detected…”
• “Your communication with legal raises additional compliance concerns that complicate the response timeline…”

Turning Failure into Learning:

• Ask: “What does this tell us about the threat we’re dealing with?”
• Explore: “How might you approach this differently with what you now know?”
• Connect: “What would this failure teach you for future incidents?”

Advanced Facilitation with Degrees of Success

Building Narrative Tension

Use degrees of success to create escalating scenarios:

1. Early Critical Successes: Build team confidence and establish threat baseline
2. Mid-Session Partial Successes: Introduce complications that require adaptation
   
3. Climax Moments: High-stakes rolls where degrees of success dramatically affect outcomes
4. Resolution: Mix outcomes that show both victories and lessons learned

Balancing Player Agency with Realism

Player Expertise Should Matter More Than Dice:

• Award automatic success for clearly demonstrated cybersecurity knowledge
• Use critical success to reward creative applications of real-world experience
• Reserve failure for situations where external factors create genuine obstacles

Environmental Factors:

• Partial successes often represent organizational or technical constraints
• Failures can represent adversary sophistication or environmental complexity
• Critical successes can overcome constraints through exceptional expertise

Managing Degrees Across Team Actions

Individual Actions:

• Degrees apply to each player’s specific contribution
• Multiple partial successes can combine into team full success
• Individual critical success can inspire team bonuses

Collaborative Actions:

• Team coordination affects the baseline difficulty
• Multiple players working together can shift failure to partial success
• Excellent teamwork should enable critical successes more frequently

Pacing and Story Flow

Early Phase (Discovery):

• Favor partial successes that reveal information gradually
• Use failures to highlight threat sophistication
• Critical successes provide breakthrough moments

Middle Phase (Investigation):

• Mix outcomes to create realistic investigation complexity
• Partial successes maintain momentum while adding complications
• Failures represent dead ends that require new approaches

Final Phase (Response):

• Higher success rates as team applies accumulated knowledge
• Critical successes represent excellent execution of well-planned response
• Failures have higher stakes but clearer learning outcomes

Practical Application Examples

Investigation Action Example

Player Action: “I want to analyze the network logs to understand how the malware spreads”

Critical Success: “Your log analysis not only traces the malware’s lateral movement but reveals it’s using a previously unknown exploitation technique. You gain insight into both its current scope AND its future targets.”

Full Success: “The log analysis shows clear patterns of lateral movement through compromised credentials. You can map the affected systems and understand the timeline.”

Partial Success: “You identify signs of lateral movement, but the logs have gaps during shift changes. You understand the general pattern but need additional investigation to get complete visibility.”

Failure: “The logs show suspicious activity, but without understanding the malware’s specific techniques, you can’t distinguish its traffic from legitimate administrative activity. You need a different approach.”

Communication Action Example

Player Action: “I’ll brief the executive team on our response progress and resource needs”

Critical Success: “Your briefing not only secures the resources you need but also gets executive commitment to implement the security improvements you’ve identified. Leadership becomes champions of the response effort.”

Full Success: “The executives understand the situation and approve your resource requests. They’ll handle communication with customers and regulators as needed.”

Partial Success: “Leadership approves most of your requests but wants to minimize operational disruption. You get the resources but with constraints on how disruptive your response can be.”

Failure: “The briefing raises more concerns than it answers. Leadership wants additional consultants involved and more detailed impact assessments before approving significant resources.”

Scenario Card Preparation Method

The 5-Minute Scenario Card Prep

Most experienced IMs can prepare for any session using scenario cards in just 5 minutes:

Minute 1: Card Selection (60 seconds)

• Choose based on group expertise and industry context
• Quick scan: Hook, Pressure, NPCs, Secrets, Villain Plan

Minute 2: NPC Motivation Review (60 seconds)

• Identify primary stakeholder (IT Director, Hospital CIO, etc.)
• Understand their immediate concerns and constraints
• Note competing priorities and pressure sources

Minute 3: Hook Internalization (60 seconds)

• Understand WHY this attack is happening NOW
• Connect to realistic business pressures and deadlines
• Prepare opening hook: “Organization X is 72 hours from critical deadline Y…”

Minute 4: Pressure Timeline Review (60 seconds)

• Understand business deadline and consequences
• Map escalation stages if threat evolves
• Balance urgency with realistic response time

Minute 5: Question Preparation (60 seconds)

• Prepare context-driven discovery questions
• Focus on stakeholder perspectives: “What would worry you most?”
• Trust scenario card details, facilitate discovery over lecturing

Why Scenario Cards Work

Rich Context Pre-Built:

• Organizational situations participants recognize professionally
  
• Authentic business constraints and stakeholder pressures
• Realistic technical vulnerabilities and attack progression

95% Content Reuse:

• Core technical content identical across scenarios
• Only organizational details change (company names, deadlines, NPCs)
• Allows focus on facilitation rather than content generation

Professional Authenticity:

• Industry-specific pressure situations
• Realistic stakeholder dynamics and competing priorities
• Natural investigation starting points and discovery paths

Key Principle: Scenario cards contain everything needed. Your job is facilitation, not expertise demonstration.

---

The key to practical facilitation is building a toolkit of responses that become automatic, allowing you to focus on reading the group and adapting to their needs in real-time.