Session Management

The Art of Orchestrating Collaborative Learning

Effective session management balances structure with flexibility, ensuring that learning objectives are met while adapting to the unique dynamics and expertise of each group. Your role is to create and maintain an environment where collaborative discovery can flourish.

Pre-Session Setup

Essential Preparation

Digital Resources:

  • Reference Materials: Type effectiveness chart, role descriptions, emergency protocols
  • Backup Plans: Printed materials in case of technology failure
  • Time Management: Visible timer or clock for phase management
  • Documentation Tools: Capture insights and lessons learned

Group Assessment and Adaptation

Rapid Expertise Assessment:

As participants arrive, gather information about their backgrounds:

  • “What brings you here today?”
  • “What’s your experience level with incident response?”
  • “Are there specific learning goals you hope to achieve?”
  • “Any particular cybersecurity challenges you’re facing at work?”

Adaptation Indicators:

  • High Expertise Group: Focus on complex scenarios, advanced concepts, innovation opportunities
  • Mixed Expertise Group: Leverage peer teaching, emphasize collaboration over individual performance
  • Low Expertise Group: Emphasize concept learning, provide more guidance and structure
  • Organizational Team: Connect learning to specific workplace challenges and opportunities

Opening and Character Creation

Creating Psychological Safety

Set Collaborative Expectations:

  • “This is a learning environment where questions and mistakes are valuable.”
  • “Everyone brings knowledge and perspective that contributes to our collective understanding.”
  • “We succeed as a team, not as individuals competing against each other.”
  • “The goal is learning together, not demonstrating expertise or getting everything right.”

Address Common Concerns:

  • “You don’t need to be a cybersecurity expert to contribute meaningfully.”
  • “Technical knowledge helps, but problem-solving and collaboration skills are equally valuable.”
  • “We’ll learn from each other’s experience and perspectives throughout the session.”

Skills Discovery and Role Assignment

Structured Sharing Process:

Have each participant briefly share (45 seconds each):

  • Name and background
  • Connection to cybersecurity (professional, academic, personal interest)
  • One thing they know about computers, security, or technology
  • What they hope to learn or contribute

Collaborative Role Selection: Based on interests and team needs:

  • “Based on what everyone shared, let’s think about how to build a strong incident response team.”
  • “Which roles appeal to you based on your interests and experience?”
  • “How can we ensure all key perspectives are represented?”
  • “Remember, roles are starting points - your expertise can contribute across all areas.”

Character Development

Individual Reflection: Participants develop their character using prompts:

  • Keep your real first name
  • Build a personality around your chosen role
  • Think about what motivates your character
  • Consider how your real experience informs your character

Brief Introductions: Each participant introduces their character in 20-30 seconds:

  • Name and role
  • One character trait or quirk
  • What drives them to protect their organization
  • How they approach cybersecurity challenges

Round Management

Discovery Phase Management

Phase Introduction:

  • Present initial symptoms clearly and concisely
  • Establish the learning objective: identify the specific threat
  • Remind team of available time and individual action allocation
  • Encourage role-based investigation approaches

Individual Investigation:
Your Role During This Time:

  • Circulate and Listen: Move around table, listen to discussions, gauge engagement
  • Ask Clarifying Questions: Help participants think through their role’s perspective
  • Provide Guidance When Stuck: Offer gentle prompts without providing answers
  • Monitor Time: Give time warnings as needed but focus on learning; you don’t want to break off an engaging conversation where everybody partakes and learn just for the mere sake of progress.

Effective Circulation Questions:

  • “What would someone in your role typically investigate first?”
  • “What patterns or anomalies stand out to you?”
  • “How would you approach this if it happened at your organization?”
  • “What questions would your role ask about these symptoms?”

Knowledge Sharing:
Facilitate Structured Sharing:

  • Go around table, giving each role 90 seconds to share findings
  • Ask follow-up questions that connect different perspectives
  • Help team see patterns and connections across different investigations
  • Build toward collective understanding without forcing conclusions

Effective Facilitation Questions:

  • “How do these different findings connect?”
  • “What patterns emerge when we look at all perspectives together?”
  • “What questions remain after hearing everyone’s investigation?”
  • “What type of threat explains all these different symptoms?”

Malmon Identification: Guide Collaborative Conclusion:

  • Help team synthesize their investigations into threat identification
  • Validate their reasoning and analysis process
  • Reveal Malmon card and confirm their assessment
  • Briefly discuss type effectiveness and what it means for response

Investigation Phase Management

Phase Transition:

  • Acknowledge successful discovery work
  • Present evolution pressure or additional complications
  • Establish phase objective: understand scope and plan response
  • Maintain urgency while allowing thorough analysis

Impact Assessment: Key Areas to Explore:

  • What systems and data are affected or at risk?
  • How has the attack progressed since initial compromise?
  • What are the business and operational implications?
  • What vulnerabilities enabled this attack to succeed?

Facilitation Focus:

  • Keep discussions tied to actionable intelligence
  • Help team balance thoroughness with time pressure
  • Connect technical findings to business impact
  • Encourage cross-role collaboration and information sharing

Attack Vector Analysis: Guide Deeper Understanding:

  • How did the attack succeed initially?
  • What would have prevented this compromise?
  • What does this reveal about organizational security posture?
  • How might similar attacks be prevented in the future?

Evolution Assessment: Create Urgency for Response:

  • Present signs of potential threat evolution or escalation
  • Help team understand time pressure for effective response
  • Connect investigation findings to response strategy needs
  • Transition focus from understanding to action planning

Response Phase Management

Strategy Development: Facilitate Collaborative Planning:

  • Help team choose approaches based on Malmon type effectiveness
  • Encourage role-based contribution to strategy development
  • Address resource constraints and organizational realities
  • Build consensus around coordinated response approach

Key Questions:

  • “Given what we know about this threat type, what approaches would be most effective?”
  • “How would you coordinate different response activities?”
  • “What could go wrong with this approach, and how would you address those risks?”
  • “How does this response strategy address both immediate threats and long-term prevention?”

Implementation:
Manage Action Resolution:

  • Help team execute their strategy through role-based actions
  • Use dice mechanics when outcomes are uncertain
  • Apply type effectiveness bonuses and penalties appropriately
  • Maintain tension while rewarding good collaboration and planning

Resolution:
Wrap Up the Incident:

  • Determine final outcome based on team performance and decisions
  • Acknowledge effective strategies and collaboration
  • Connect results to learning objectives and real-world applications
  • Set up post-session reflection and documentation

Time Management Strategies

When Phases Run Long

Early Intervention:

  • “We are almost out of time for this phase - what’s our key priority?”
  • “Let’s focus on the most important decision we need to make.”
  • “What’s the essential information we need before moving to the next phase?”

Late Intervention:

  • “Time to wrap up - what’s our main conclusion?”
  • “What’s the most important takeaway from this phase?”
  • “We’ll carry forward [key insight] as we move to the next phase.”

When Phases Run Short

Depth Questions:

  • “What might we be missing if we move too quickly?”
  • “What are the implications of this decision?”
  • “How would different approaches change our outcomes?”
  • “What would worry you most about our current understanding?”

Extension Activities:

  • Cross-role consultation and knowledge sharing
  • Alternative scenario exploration
  • Strategic thinking about prevention and improvement
  • Connection to real-world organizational challenges

Energy and Engagement Management

Maintaining High Energy

Technique Rotation:

  • Discussion: Collaborative problem-solving and knowledge sharing
  • Action: Individual investigation and strategy implementation
  • Reflection: Analysis of decisions and learning capture
  • Movement: Physical position changes, role consultations

Engagement Indicators:

  • Active participation from all roles
  • Building on each other’s contributions
  • Questions and curiosity about the scenario
  • Connection to real-world experience and challenges

Addressing Low Energy

Immediate Interventions:

  • “What’s at stake if we don’t solve this problem?”
  • “How would you explain the urgency to your organization’s leadership?”
  • “What would make this attack particularly dangerous?”
  • Brief physical movement or position change

Systemic Adjustments:

  • Reduce complexity and focus on core learning objectives
  • Increase role-based structure and guidance
  • Add collaborative elements and team consultation
  • Connect more directly to participants’ real-world experience

Managing Different Group Types

High-Expertise Groups

Characteristics: Deep technical knowledge, may find scenarios too simple
Management Approach:

  • Add complexity and advanced concepts
  • Focus on innovation and technique development
  • Encourage mentoring and knowledge sharing
  • Connect to cutting-edge threats and responses

Effective Questions:

  • “What additional complications might arise in real incidents?”
  • “How would you improve on standard response approaches?”
  • “What would you do differently based on your experience?”
  • “How would you teach this concept to less experienced colleagues?”

Mixed-Experience Groups

Characteristics: Varying levels of technical knowledge and experience
Management Approach:

  • Facilitate peer teaching and learning
  • Ensure all participants can contribute meaningfully
  • Balance technical depth with accessible concepts
  • Use experienced participants as teaching resources

Effective Questions:

  • “How would you explain this to someone new to cybersecurity?”
  • “What questions would someone without technical background ask?”
  • “How do different experience levels contribute to understanding this threat?”
  • “What can we learn from each other’s different perspectives?”

Low-Experience Groups

Characteristics: Limited cybersecurity background, may feel intimidated
Management Approach:

  • Emphasize concept learning over technical details
  • Provide more structure and guidance
  • Celebrate insights and logical thinking
  • Connect to everyday technology experience

Effective Questions:

  • “What would common sense suggest in this situation?”
  • “How is this similar to technology problems you’ve encountered?”
  • “What would worry you if this happened to your personal computer?”
  • “What questions would you ask if you were responsible for fixing this?”

Organizational Teams

Characteristics: Work together regularly, want applicable insights
Management Approach:

  • Connect learning directly to organizational challenges
  • Address specific workplace constraints and opportunities
  • Encourage discussion of implementation and application
  • Support team development and relationship building

Effective Questions:

  • “How would this scenario play out in your specific environment?”
  • “What organizational factors would help or hinder this response?”
  • “How could you apply these insights to improve your current security posture?”
  • “What would you need to implement these approaches at work?”

Post-Session Wrap-Up (5 minutes)

Learning Capture

Structured Reflection:

  • What surprised you most about this scenario?
  • Which response techniques were most effective?
  • How does this connect to your real-world experience?
  • What would you do differently in a similar situation?

MalDex Documentation:

  • Key insights about the Malmon’s behavior and weaknesses
  • Effective response strategies discovered during the session
  • Lessons learned about team coordination and collaboration
  • Recommendations for other teams facing similar threats

Community Connection

Next Steps:

  • Information about additional learning opportunities
  • Connection to local cybersecurity communities
  • Resources for continued skill development
  • Opportunities to contribute to community knowledge

Feedback Collection:

  • What worked well in this session?
  • What could be improved for future sessions?
  • Interest in additional scenarios or advanced challenges
  • Suggestions for community development and growth

Remember: Effective session management creates the conditions for collaborative learning while adapting to the unique needs and dynamics of each group. Focus on maintaining engagement, ensuring meaningful participation from all roles, and connecting learning to real-world applications and challenges.