Network Security Status Adjustment Guide
Quick Reference for Track Adjustments
This guide provides practical guidance for adjusting the three-track Network Security Status system during sessions based on player actions and story developments.
Core Adjustment Principles
Adjust based on player actions, not arbitrary timing - Track changes should reflect meaningful player decisions and discoveries - Avoid mechanical point deductions without narrative justification - Reward effective teamwork and strategic thinking
Make changes visible and educational - Announce track changes when they happen - Explain the reasoning behind adjustments - Use changes to drive story tension and learning moments
Keep it simple during facilitation - Don’t overthink precise numbers - focus on general direction - Use 5-10 point increments for most adjustments - Major events can warrant 15-25 point changes
Network Security Track Adjustments
Decreases (-5 to -30)
Minor Decreases (-5 to -10): - Malware spreads to 1-2 additional systems - Minor security control failure or bypass - Delayed response allows limited damage - Discovery of previously unknown vulnerability
Example: “The malware has spread to the HR department systems. Network Security drops to 85.”
Moderate Decreases (-10 to -20): - Significant system compromise or data theft - Major security control failure - Critical vulnerability exploitation - Persistent threat establishment
Example: “With admin credentials compromised, the attacker has elevated access across multiple servers. Network Security drops to 70.”
Major Decreases (-20 to -30): - Critical infrastructure systems compromised - Massive data breach or system encryption - Complete security control bypass - Threat evolution or escalation
Example: “The ransomware has encrypted your primary database servers. Network Security drops to 45.”
Increases (+5 to +25)
Minor Increases (+5 to +10): - Successful threat containment on specific systems - Effective security control implementation - Vulnerability patching completion - Improved monitoring deployment
Example: “You’ve successfully isolated the infected workstations. Network Security improves to 75.”
Moderate Increases (+10 to +20): - Significant threat neutralization - Major security enhancement implementation - Successful system recovery and hardening - Comprehensive vulnerability remediation
Example: “Your network segmentation has stopped the lateral movement completely. Network Security jumps to 85.”
Major Increases (+20 to +25): - Complete threat elimination - Revolutionary security improvement - Advanced defensive capability deployment - Comprehensive system restoration with enhancements
Example: “You’ve not only eliminated the threat but implemented advanced monitoring that would catch similar attacks in hours instead of days. Network Security rises to 95.”
IR Effectiveness Track Adjustments
Decreases (-5 to -25)
Minor Decreases (-5 to -10): - Slight communication breakdown between roles - Minor coordination issues or delays - Individual team member confusion - Incomplete information sharing
Example: “The Detective and Protector are working on conflicting assumptions. IR Effectiveness drops to 90.”
Moderate Decreases (-10 to -20): - Significant role conflict or duplication - Major communication breakdown - Investigation going seriously off-track - Team decision paralysis
Example: “The team is splitting into two different approaches without coordination. IR Effectiveness drops to 75.”
Major Decreases (-20 to -25): - Complete team coordination breakdown - Critical information missed due to poor communication - Major strategic disagreement preventing action - Individual performance undermining team effort
Example: “The lack of coordination has led to contradictory actions that are making the situation worse. IR Effectiveness drops to 60.”
Increases (+5 to +25)
Minor Increases (+5 to +10): - Good role coordination and information sharing - Effective use of individual expertise - Clear communication about findings - Collaborative problem-solving
Example: “Your systematic information sharing is building a clear picture of the threat. IR Effectiveness rises to 110.”
Moderate Increases (+10 to +20): - Exceptional teamwork and role synergy - Breakthrough collaborative discovery - Outstanding communication under pressure - Strategic coordination across all roles
Example: “The way you’re building on each other’s discoveries is creating insights none of you would have reached alone. IR Effectiveness jumps to 125.”
Major Increases (+20 to +25): - Seamless team coordination under extreme pressure - Innovative collaborative problem-solving - Perfect role integration and communication - Team performance exceeding individual capabilities
Example: “Your team coordination is so effective you’re anticipating each other’s needs. This is textbook incident response. IR Effectiveness rises to 135.”
Business Operations Track Adjustments
Decreases (-5 to -30)
Minor Decreases (-5 to -10): - Non-critical system disruption - Minor stakeholder concern or questions - Slight operational inefficiency - Limited service degradation
Example: “Email is running slowly, affecting daily operations. Business Operations drops to 90.”
Moderate Decreases (-10 to -20): - Critical system outage affecting operations - Significant stakeholder pressure or concern - Regulatory scrutiny beginning - Major service disruption
Example: “With the payment processing down, customers can’t complete transactions. Business Operations drops to 75.”
Major Decreases (-20 to -30): - Mission-critical system failure - Public disclosure of security incident - Regulatory enforcement action - Complete operational disruption
Example: “The news about patient data exposure is breaking. Hospital leadership is fielding calls from reporters. Business Operations drops to 50.”
Increases (+5 to +25)
Minor Increases (+5 to +10): - Non-critical systems restored - Stakeholder confidence maintained - Proactive communication success - Operational workarounds effective
Example: “Your temporary payment system is keeping customers happy. Business Operations improves to 85.”
Moderate Increases (+10 to +20): - Critical systems restored to operation - Stakeholder confidence rebuilt through transparency - Successful crisis communication - Enhanced operational procedures
Example: “Your honest communication about the breach response is actually building customer trust. Business Operations rises to 95.”
Major Increases (+20 to +25): - Operations improved beyond pre-incident levels - Stakeholder confidence significantly enhanced - Reputation strengthened through crisis response - New operational capabilities developed
Example: “Your crisis response has been so transparent and effective that you’re being held up as a model for the industry. Business Operations rises to 110.”
Adjustment Timing and Triggers
When to Adjust Tracks
Immediate Adjustments: - Player actions with clear consequences - Major discoveries that change the situation - Successful or failed critical attempts - Significant story developments
Round-End Adjustments: - Overall team performance assessment - Cumulative effect of multiple actions - Story progression and escalation - Preparation for next phase
Avoid Adjusting: - For arbitrary timing or “realism” - When changes would be confusing or demotivating - During active collaborative discussion - For minor details that don’t affect the larger picture
Communicating Adjustments
Clear Announcement: “Based on your successful network isolation, Network Security improves from 65 to 80.”
Explain Reasoning: “Your excellent teamwork in sharing information across roles is keeping IR Effectiveness high despite the technical challenges.”
Use for Tension: “Business Operations just dropped to 60 - stakeholders are starting to panic about the service outage.”
Connect to Learning: “Notice how good communication can maintain high IR Effectiveness even when Network Security is low - this shows the value of coordination.”
Track Interaction Examples
Network Security Low, IR Effectiveness High
Situation: Major breach but excellent team coordination
IM Guidance: - “Your team is working exceptionally well together despite the serious technical situation.” - “How is good coordination helping you manage this crisis?” - “What would happen if your teamwork was poor during a situation like this?”
Adjustment Logic: Team coordination can’t fix technical problems, but it maximizes effectiveness of available options.
Business Operations Impact from Security Decisions
Situation: Aggressive containment disrupts operations
IM Guidance: - “Your security response is working, but it’s affecting business operations.” - “How do you balance protection with operational continuity?” - “What would stakeholders need to know about these trade-offs?”
Adjustment Logic: Good security decisions may temporarily impact operations but should improve long-term stability.
All Tracks Moving Together
Situation: Coordinated response addressing all aspects
IM Guidance: - “Notice how your decisions are affecting technical security, team effectiveness, and business impact.” - “What does this teach about the complexity of real incident response?” - “How do you optimize across all three dimensions?”
Adjustment Logic: Excellent incident response addresses all aspects, sometimes requiring trade-offs.
Common IM Mistakes to Avoid
Over-Adjustment
- Problem: Changing tracks too frequently or dramatically
- Solution: Focus on significant events, use 5-10 point increments
Punishment-Based Adjustments
- Problem: Decreasing tracks to “teach lessons” rather than reflect story
- Solution: Adjust based on narrative logic, not educational agenda
Ignoring Positive Actions
- Problem: Only decreasing tracks, never rewarding good decisions
- Solution: Actively look for opportunities to increase tracks for good teamwork
Mechanical Precision
- Problem: Trying to calculate exact “correct” track values
- Solution: Focus on general direction and relative changes
Session Planning Integration
Pre-Session Preparation
- Review scenario-specific factors that might affect each track
- Identify potential major adjustment triggers
- Consider how organization type affects Business Operations sensitivity
During Session Management
- Use tracking sheet to note current values
- Announce changes when they happen
- Connect adjustments to learning objectives
Post-Session Reflection
- Discuss how track changes reflected team performance
- Explore what final track values mean for organizational resilience
- Connect track progression to real-world incident response principles
Advanced Facilitation Techniques
Using Tracks for Story Pacing
- Low Network Security + High IR Effectiveness = “Good teamwork under pressure”
- High Network Security + Low IR Effectiveness = “Technical success despite coordination issues”
- Declining Business Operations = “Increasing external pressure”
Educational Moments
- Track improvements beyond 100 = “Better than before the incident”
- Track interactions = “Complexity of real incident response”
- Recovery patterns = “How organizations build resilience”
Group Dynamics
- Reward collaborative discoveries with IR Effectiveness increases
- Show how individual excellence contributes to team success
- Use Business Operations pressure to encourage stakeholder thinking
Remember: The three-track system serves learning objectives, not mechanical game balance. Focus on helping teams understand the multidimensional nature of incident response while maintaining engagement and realistic challenge.