Network Security Status Adjustment Guide

Quick Reference for Track Adjustments

This guide provides practical guidance for adjusting the three-track Network Security Status system during sessions based on player actions and story developments.

Core Adjustment Principles

Adjust based on player actions, not arbitrary timing

  • Track changes should reflect meaningful player decisions and discoveries
  • Avoid mechanical point deductions without narrative justification
  • Reward effective teamwork and strategic thinking

Make changes visible and educational

  • Announce track changes when they happen
  • Explain the reasoning behind adjustments
  • Use changes to drive story tension and learning moments

Keep it simple during facilitation

  • Don’t overthink precise numbers - focus on general direction
  • Use 5-10 point increments for most adjustments
  • Major events can warrant 15-25 point changes

Network Security Track Adjustments

Decreases (-5 to -30)

Minor Decreases (-5 to -10):

  • Malware spreads to 1-2 additional systems
  • Minor security control failure or bypass
  • Delayed response allows limited damage
  • Discovery of previously unknown vulnerability

Example: “The malware has spread to the HR department systems. Network Security drops to 85.”

Moderate Decreases (-10 to -20):

  • Significant system compromise or data theft
  • Major security control failure
  • Critical vulnerability exploitation
  • Persistent threat establishment

Example: “With admin credentials compromised, the attacker has elevated access across multiple servers. Network Security drops to 70.”

Major Decreases (-20 to -30):

  • Critical infrastructure systems compromised
  • Massive data breach or system encryption
  • Complete security control bypass
  • Threat evolution or escalation

Example: “The ransomware has encrypted your primary database servers. Network Security drops to 45.”

Increases (+5 to +25)

Minor Increases (+5 to +10):

  • Successful threat containment on specific systems
  • Effective security control implementation
  • Vulnerability patching completion
  • Improved monitoring deployment

Example: “You’ve successfully isolated the infected workstations. Network Security improves to 75.”

Moderate Increases (+10 to +20):

  • Significant threat neutralization
  • Major security enhancement implementation
  • Successful system recovery and hardening
  • Comprehensive vulnerability remediation

Example: “Your network segmentation has stopped the lateral movement completely. Network Security jumps to 85.”

Major Increases (+20 to +25):

  • Complete threat elimination
  • Revolutionary security improvement
  • Advanced defensive capability deployment
  • Comprehensive system restoration with enhancements

Example: “You’ve not only eliminated the threat but implemented advanced monitoring that would catch similar attacks in hours instead of days. Network Security rises to 95.”

IR Effectiveness Track Adjustments

Decreases (-5 to -25)

Minor Decreases (-5 to -10):

  • Slight communication breakdown between roles
  • Minor coordination issues or delays
  • Individual team member confusion
  • Incomplete information sharing

Example: “The Detective and Protector are working on conflicting assumptions. IR Effectiveness drops to 90.”

Moderate Decreases (-10 to -20):

  • Significant role conflict or duplication
  • Major communication breakdown
  • Investigation going seriously off-track
  • Team decision paralysis

Example: “The team is splitting into two different approaches without coordination. IR Effectiveness drops to 75.”

Major Decreases (-20 to -25):

  • Complete team coordination breakdown
  • Critical information missed due to poor communication
  • Major strategic disagreement preventing action
  • Individual performance undermining team effort

Example: “The lack of coordination has led to contradictory actions that are making the situation worse. IR Effectiveness drops to 60.”

Increases (+5 to +25)

Minor Increases (+5 to +10):

  • Good role coordination and information sharing
  • Effective use of individual expertise
  • Clear communication about findings
  • Collaborative problem-solving

Example: “Your systematic information sharing is building a clear picture of the threat. IR Effectiveness rises to 110.”

Moderate Increases (+10 to +20):

  • Exceptional teamwork and role synergy
  • Breakthrough collaborative discovery
  • Outstanding communication under pressure
  • Strategic coordination across all roles

Example: “The way you’re building on each other’s discoveries is creating insights none of you would have reached alone. IR Effectiveness jumps to 125.”

Major Increases (+20 to +25):

  • Seamless team coordination under extreme pressure
  • Innovative collaborative problem-solving
  • Perfect role integration and communication
  • Team performance exceeding individual capabilities

Example: “Your team coordination is so effective you’re anticipating each other’s needs. This is textbook incident response. IR Effectiveness rises to 135.”

Business Operations Track Adjustments

Decreases (-5 to -30)

Minor Decreases (-5 to -10):

  • Non-critical system disruption
  • Minor stakeholder concern or questions
  • Slight operational inefficiency
  • Limited service degradation

Example: “Email is running slowly, affecting daily operations. Business Operations drops to 90.”

Moderate Decreases (-10 to -20):

  • Critical system outage affecting operations
  • Significant stakeholder pressure or concern
  • Regulatory scrutiny beginning
  • Major service disruption

Example: “With the payment processing down, customers can’t complete transactions. Business Operations drops to 75.”

Major Decreases (-20 to -30):

  • Mission-critical system failure
  • Public disclosure of security incident
  • Regulatory enforcement action
  • Complete operational disruption

Example: “The news about patient data exposure is breaking. Hospital leadership is fielding calls from reporters. Business Operations drops to 50.”

Increases (+5 to +25)

Minor Increases (+5 to +10):

  • Non-critical systems restored
  • Stakeholder confidence maintained
  • Proactive communication success
  • Operational workarounds effective

Example: “Your temporary payment system is keeping customers happy. Business Operations improves to 85.”

Moderate Increases (+10 to +20):

  • Critical systems restored to operation
  • Stakeholder confidence rebuilt through transparency
  • Successful crisis communication
  • Enhanced operational procedures

Example: “Your honest communication about the breach response is actually building customer trust. Business Operations rises to 95.”

Major Increases (+20 to +25):

  • Operations improved beyond pre-incident levels
  • Stakeholder confidence significantly enhanced
  • Reputation strengthened through crisis response
  • New operational capabilities developed

Example: “Your crisis response has been so transparent and effective that you’re being held up as a model for the industry. Business Operations rises to 110.”

Adjustment Timing and Triggers

When to Adjust Tracks

Immediate Adjustments:

  • Player actions with clear consequences
  • Major discoveries that change the situation
  • Successful or failed critical attempts
  • Significant story developments

Round-End Adjustments:

  • Overall team performance assessment
  • Cumulative effect of multiple actions
  • Story progression and escalation
  • Preparation for next phase

Avoid Adjusting:

  • For arbitrary timing or “realism”
  • When changes would be confusing or demotivating
  • During active collaborative discussion
  • For minor details that don’t affect the larger picture

Communicating Adjustments

Clear Announcement: “Based on your successful network isolation, Network Security improves from 65 to 80.”

Explain Reasoning: “Your excellent teamwork in sharing information across roles is keeping IR Effectiveness high despite the technical challenges.”

Use for Tension: “Business Operations just dropped to 60 - stakeholders are starting to panic about the service outage.”

Connect to Learning: “Notice how good communication can maintain high IR Effectiveness even when Network Security is low - this shows the value of coordination.”

Track Interaction Examples

Network Security Low, IR Effectiveness High

Situation: Major breach but excellent team coordination

IM Guidance:

  • “Your team is working exceptionally well together despite the serious technical situation.”
  • “How is good coordination helping you manage this crisis?”
  • “What would happen if your teamwork was poor during a situation like this?”

Adjustment Logic: Team coordination can’t fix technical problems, but it maximizes effectiveness of available options.

Business Operations Impact from Security Decisions

Situation: Aggressive containment disrupts operations

IM Guidance:

  • “Your security response is working, but it’s affecting business operations.”
  • “How do you balance protection with operational continuity?”
  • “What would stakeholders need to know about these trade-offs?”

Adjustment Logic: Good security decisions may temporarily impact operations but should improve long-term stability.

All Tracks Moving Together

Situation: Coordinated response addressing all aspects

IM Guidance:

  • “Notice how your decisions are affecting technical security, team effectiveness, and business impact.”
  • “What does this teach about the complexity of real incident response?”
  • “How do you optimize across all three dimensions?”

Adjustment Logic: Excellent incident response addresses all aspects, sometimes requiring trade-offs.

Common IM Mistakes to Avoid

Over-Adjustment

  • Problem: Changing tracks too frequently or dramatically
  • Solution: Focus on significant events, use 5-10 point increments

Punishment-Based Adjustments

  • Problem: Decreasing tracks to “teach lessons” rather than reflect story
  • Solution: Adjust based on narrative logic, not educational agenda

Ignoring Positive Actions

  • Problem: Only decreasing tracks, never rewarding good decisions
  • Solution: Actively look for opportunities to increase tracks for good teamwork

Mechanical Precision

  • Problem: Trying to calculate exact “correct” track values
  • Solution: Focus on general direction and relative changes

Hidden Adjustments

  • Problem: Changing tracks without explanation
  • Solution: Make changes visible and educational

Session Planning Integration

Pre-Session Preparation

  • Review scenario-specific factors that might affect each track
  • Identify potential major adjustment triggers
  • Consider how organization type affects Business Operations sensitivity

During Session Management

  • Use tracking sheet to note current values
  • Announce changes when they happen
  • Connect adjustments to learning objectives

Post-Session Reflection

  • Discuss how track changes reflected team performance
  • Explore what final track values mean for organizational resilience
  • Connect track progression to real-world incident response principles

Advanced Facilitation Techniques

Using Tracks for Story Pacing

  • Low Network Security + High IR Effectiveness = “Good teamwork under pressure”
  • High Network Security + Low IR Effectiveness = “Technical success despite coordination issues”
  • Declining Business Operations = “Increasing external pressure”

Educational Moments

  • Track improvements beyond 100 = “Better than before the incident”
  • Track interactions = “Complexity of real incident response”
  • Recovery patterns = “How organizations build resilience”

Group Dynamics

  • Reward collaborative discoveries with IR Effectiveness increases
  • Show how individual excellence contributes to team success
  • Use Business Operations pressure to encourage stakeholder thinking

Remember: The three-track system serves learning objectives, not mechanical game balance. Focus on helping teams understand the multidimensional nature of incident response while maintaining engagement and realistic challenge.