Lunch & Learn Template

🍱 Lunch & Learn Template

Target Time: 75-90 minutes

This template provides a substantial collaborative session suitable for typical training slots, balancing guided structure with comfortable pacing for deeper engagement.

When to Use:

  • Department training sessions.
  • Team building activities focused on cybersecurity.
  • Professional development workshops (e.g., skill refreshers).
  • Regular security awareness sessions that go beyond basic lectures.

Pre-Configured Settings:

  • MAJOR TIME IMPACT:
    • Number of Rounds: 2 rounds
    • Actions per Player: 2 actions per round
  • MODERATE TIME IMPACT:
    • Investigation Structure: Guided (IM presents clues on a timeline)
    • Response Structure: Pre-defined (IM presents 2-3 clear options)
    • Team Size: 4-6 players (standard roles recommended)
  • MINOR TIME IMPACT:
    • Success Mechanics: Dice/Cards (add an element of chance)
    • Debrief Length: Standard (10 min)
    • Turn Timer: None
  • COMPLEXITY OPTIONS:
    • Attack Complexity: Single or multi-stage (adaptable to team experience)
    • Evidence Type: Clear containment
    • Red Herrings: Absent
    • Containment Clarity: Clear type effectiveness
    • NPC Count: Full cast (4-6 NPCs for richer interaction)
    • Badge Tracking: On
    • Reference Materials: Available

Experience:

A comprehensive, collaborative session allowing players to engage with more complex scenarios and decision-making processes, supported by the IM. The dice mechanics introduce a realistic element of uncertainty.

Time Breakdown (Example 90-minute session):

  • Introduction & Role Assignment: 10 minutes
  • Scenario Briefing: 10 minutes
  • Gameplay (2 rounds, 2 actions, Guided/Pre-defined): ~60 minutes
  • Standard Debrief: 10 minutes
  • Total: ~90 minutes

Customize This Template:

You can adjust individual options from this template to suit your needs.

  • Reduce to 60 min: Change “Actions per Player” to 1 action per round.
  • Add 15-20 min:
    • Switch “Investigation Structure” to “Open”.
    • Switch “Response Structure” to “Creative”.
  • Make harder:
    • Switch “Evidence Type” to “Subtle” or “Mixed”.
    • Introduce “Red Herrings” (Present).
  • Focus on learning: Ensure “Reference Materials” are available.

Facilitation Notes:

  • Encourage player discussion and collaboration within the guided framework.
  • Manage the introduction of clues to maintain pace without overwhelming players.
  • Explain dice mechanics clearly for fair and engaging outcomes.
  • Facilitate a structured debrief to solidify learning outcomes and connect to real-world applications.

Lunch & Learn Prep Checklist

Pre-Session Materials (20-30 min prep)

Guided Investigation Clues (6-9 clues across 2 rounds):

  • Round 1: Discovery & Identification (3-4 clues)
    • Clue 1 (Minute 5): Initial anomaly or user report
    • Clue 2 (Minute 10): Technical evidence confirming attack
    • Clue 3 (Minute 15): Malware family identification
    • Clue 4 (Minute 20, optional): Scope of initial compromise
  • Round 2: Scope Assessment & Response (3-5 clues)
    • Clue 5 (Minute 30): Lateral movement discovery
    • Clue 6 (Minute 40): Data exfiltration or additional systems affected
    • Clue 7 (Minute 50): Business impact assessment
    • Clue 8-9 (Minute 55-60, optional): Additional complexity or stakeholder pressure

Pre-Defined Response Options (per round):

  • Round 1 Options: Initial Containment
    • Option A: Aggressive immediate containment (high effectiveness, high disruption)
    • Option B: Balanced investigation + containment (moderate effectiveness, moderate disruption)
    • Option C: Cautious monitoring approach (low disruption, ongoing risk)
  • Round 2 Options: Comprehensive Response
    • Option A: Full incident response with external support (thorough, expensive, time-consuming)
    • Option B: Internal response with targeted remediation (balanced, requires expertise)
    • Option C: Minimal intervention with enhanced monitoring (fast, leaves residual risk)

Session Flow (2-round structure)

Round 1 (30-35 minutes): Discovery → Identification → Initial Response

  • Present clues 1-4 at designated times
  • Players investigate and identify the threat
  • Present Round 1 response options
  • Players debate and decide on initial containment
  • Adjudicate outcome with dice/cards

Round Transition (5 minutes): Situation Evolution

  • Narrate how the attack has progressed since Round 1
  • Reveal consequences of Round 1 decision
  • Build tension for Round 2

Round 2 (30-35 minutes): Scope → Impact → Comprehensive Response

  • Present clues 5-9 revealing full scope
  • Players assess complete impact
  • Present Round 2 response options
  • Players formulate comprehensive response strategy
  • Adjudicate final outcome

Materials Location Pattern

If scenario card has “Guided Investigation Clues” section:

  • Use Round 1 and Round 2 clues directly from scenario card
  • Pre-defined response options should be in scenario card under “Pre-Defined Response Options”

If not, extract from planning document:

  • Round 1 Clues: Planning document Section 5 → Round 1 evidence and discoveries
  • Round 2 Clues: Planning document Section 5 → Round 2 evidence and scope assessment
  • Response Options: Planning document Section 6 → “Type-Effective Approaches” (adapt to Round 1/Round 2 contexts)

What Makes Lunch & Learn Unique

Two-Round Narrative Arc: The session tells a complete story with evolution between rounds. Round 1 focuses on discovery and identification, while Round 2 reveals implications and requires comprehensive response. This creates a satisfying narrative progression from “What is this?” to “How do we handle the full scope?”

Guided but Collaborative: Unlike Quick Demo (IM-driven) or Full Game (player-driven), Lunch & Learn strikes a balance. The IM guides investigation through timed clues, but players have meaningful discussion time to process information and debate options before making decisions.