5-Minute Scenario Card Preparation

For Experienced IMs Using Scenario Cards

Minute 1: Scenario Card Selection

Quick Card Selection

Choose based on group and objectives:

• Healthcare scenarios (patient data, HIPAA, life-critical)
• Financial scenarios (customer data, regulatory, fraud)
• Manufacturing scenarios (production, safety, IP)
• Technology scenarios (source code, customer data, service availability)
• Municipal scenarios (public services, citizen data)

Card Review Checklist

Quick scan of selected card:

• Hook - Why this attack is happening NOW
• Pressure - Real business deadlines creating urgency
• NPCs - Key stakeholders and their motivations
• Secrets - Organizational vulnerabilities
• Villain Plan - 3-stage progression with triggers

Minute 2: NPC Motivation Review

Stakeholder Quick-Scan

From your selected scenario card:

• Primary stakeholder (IT Director, Hospital CIO, etc.)
• Secondary stakeholder (Finance, Operations, etc.)
• External pressure source (Regulatory, Customer, etc.)

Motivation Summary

Key stakeholder concerns:

• What they’re worried about RIGHT NOW
• What success looks like for them
• What failure would mean
• Why they can’t just “shut everything down”

Conflict Preparation

Stakeholder tensions:

• Competing priorities (Security vs. Operations)
• Time pressures (Deadlines vs. Thoroughness)
• Resource constraints (Budget, Personnel, Expertise)

Minute 3: Hook Internalization

Why This Attack NOW

From scenario card hook:

• Specific timing trigger (go-live, deadline, event)
• Organizational pressure creating vulnerability
• Real-world deadline creating urgency
• Why normal security processes were bypassed

Professional Context

Make it immediately recognizable:

• Industry-specific situation players will know
• Realistic stakeholder dynamics
• Authentic business constraints
• Natural investigation starting points

Opening Hook Practice

Rehearse scenario opening:

• “[Organization] is 72 hours from [critical deadline]”
• “During [pressure situation], IT approved [vulnerability]”
• “Now [symptoms] are appearing…”

Minute 4: Pressure Timeline Review

Business Deadline Understanding

From scenario card pressure section:

• Specific deadline (Monday go-live, Friday payroll, etc.)
• Consequences of delay (patient safety, regulatory, financial)
• Why the deadline can’t move
• How much time players have to respond

Escalation Timeline

If threat evolves:

• Stage 1: Current symptoms (what players see now)
• Stage 2: Escalation trigger (if not contained quickly)
• Stage 3: Full impact (business/operational failure)
• Time windows for each stage

Urgency Balance

Create authentic pressure:

• Real business consequences
• Realistic time constraints
• Stakeholder expectations
• Professional accountability

Minute 5: Question Preparation

Context-Driven Discovery Questions

Based on scenario card context:

• “Given [organization situation], what would worry you most?”
• “In [industry context], who would feel this pressure first?”
• “What would [stakeholder] be thinking right now?”
• “How would you handle [competing pressures] in this situation?”

Scenario-Specific Follow-ups

From card details:

• Questions about organizational vulnerabilities
• Stakeholder motivation exploration
• Professional experience connections
• Real-world constraint discussions

Final Confidence Check

• I understand the scenario’s professional context
• I can explain why this attack is happening NOW
• I know the key stakeholder motivations
• I’m ready to facilitate discovery, not lecture
• Materials ready: scenario card, dice, tracking sheets

Quick Scenario Card Reference

Scenario Card Categories

GaboonGrabber Scenarios ⭐⭐

• Contexts: Healthcare, Finance, Manufacturing, Municipal
• Good for: All groups, first sessions, clear social engineering
• Stakes: Patient safety, financial fraud, production disruption
• Key themes: Trust exploitation, urgent deadlines, stakeholder pressure

WannaCry Scenarios ⭐⭐⭐

• Contexts: Municipal, Healthcare, Manufacturing, Finance
• Good for: Network-focused groups, rapid response
• Stakes: Public services, patient care, production lines
• Key themes: Network propagation, patch management, business continuity

Stuxnet Scenarios ⭐⭐⭐⭐

• Contexts: Energy, Manufacturing, Research, Defense
• Good for: Advanced groups, attribution discussions
• Stakes: Critical infrastructure, safety systems, national security
• Key themes: Sophisticated attacks, air-gap jumping, geopolitical implications

Scenario Card Context Examples

Healthcare Scenarios

• MedTech: Hospital go-live pressure, EMR system vulnerabilities, patient safety stakes
• Regional Hospital: Emergency department systems, medical device networks, HIPAA compliance
• Medical Research: Clinical trial data, FDA approval deadlines, research integrity

Financial Scenarios

• RegionalBank: Payroll processing deadlines, customer transaction systems, regulatory oversight
• Credit Union: Member service continuity, fraud detection systems, examination pressure
• Investment Firm: Trading platform stability, client data protection, market confidence

Manufacturing Scenarios

• SteelCorp: Production line control, supply chain integration, worker safety
• AutoPlant: Just-in-time manufacturing, quality systems, customer delivery commitments
• ChemicalCorp: Process control safety, environmental compliance, regulatory inspection

Scenario Card Hook Examples

Time-Pressure Hooks

• “Hospital go-live scheduled for Monday morning…”
• “City payroll must process by Friday for 1,200 employees…”
• “Nuclear plant maintenance window closes in 72 hours…”

Stakeholder-Pressure Hooks

• “Under project deadline pressure, IT approved ‘critical updates’…”
• “To avoid regulatory penalties, Finance pushed through vendor access…”
• “With inspection tomorrow, Operations bypassed security protocols…”

Organizational-Context Hooks

• “During the biggest product launch in company history…”
• “While preparing for the annual board presentation…”
• “As the merger deadline approaches…”

Post-Session Quick Notes

What Worked

• Which scenario elements generated best discussions?
• What stakeholder dynamics resonated with group?
• Which context details were most effective?
• What professional connections worked well?

What to Improve

• Where did scenario engagement drop?
• What context needed better explanation?
• How could stakeholder transitions be smoother?
• What scenario type would serve this group better?

For Next Time

• Scenario card selection adjustments
• Context refinements based on group expertise
• Stakeholder emphasis improvements
• Follow-up scenario opportunities

Remember: Scenario cards provide rich context that beats 30 minutes of planning. Trust the cards and the participants.