New IM 30-Minute Scenario Card Preparation

Complete First-Time Preparation Using Scenario Cards

Minutes 1-5: Essential Materials Setup

Essential Materials Checklist

Malmon cards for chosen scenario (plus 2-3 backups)
Role reference cards or quick sheets
Physical d20 dice (2-3 minimum) - apps often fail
Network Security Status tracker (paper backup)
Blank paper for participant notes and diagrams
Pens/markers for each participant (extras available)
Name tags or table tents for character names
Timer or visible clock for time management

Optional Enhancement Materials

Laptop/tablet for digital resources (if reliable internet)
Projector for sharing information (tested and working)
Printed quick reference guides
MITRE ATT&CK reference materials
Real-world case study examples

Minutes 6-10: Scenario Card Selection and Review

Scenario Card Selection Process

Choose based on group composition and expertise:

High-Tech Groups:

Technology sector scenario cards (CloudCorp, DevStartup, TechGiant)
Focus on development, cloud infrastructure, source code protection
Emphasize rapid scaling and deployment challenges

Mixed Professional Groups:

Healthcare scenario cards (MedTech, Regional Hospital, Medical Research)
Balance technical and business considerations
Emphasize stakeholder complexity and regulatory pressure

Business-Focused Groups:

Financial or Manufacturing scenario cards (RegionalBank, SteelCorp, AutoPlant)
Focus on operational continuity and business impact
Emphasize customer and regulatory stakeholder concerns

Academic/Research Groups:

Educational or Research scenario cards (StateU, Research Institute, Academic Medical)
Focus on intellectual property and academic freedom
Emphasize diverse user base and open environment challenges

Complete Scenario Card Review (5 minutes)

Thoroughly read your selected card:

Card Components:

Hook: Why this attack is happening NOW - memorize opening scenario
Pressure: Business deadline creating urgency - understand timeline
NPCs: All stakeholders and their motivations - practice their voices
Secrets: Organizational vulnerabilities that enabled attack
Villain Plan: 3-stage escalation with evolution triggers
Context Details: Industry specifics, regulatory environment, critical assets

Minutes 11-15: NPC Development and Stakeholder Dynamics

Primary Stakeholder Deep-Dive

From your scenario card’s NPC section:

Primary NPC (Usually IT Director, CIO, etc.):

Name and role: Memorize their position and responsibilities
Core motivation: What keeps them awake at night about this situation
Success criteria: What would a “win” look like for them
Constraints: Why they can’t just “shut everything down”
Communication style: How they interact with different team members

Secondary NPCs (Business stakeholders):

Business sponsor: Who’s driving the deadline/pressure
Operations contact: Who knows day-to-day system usage
Compliance/Legal: Who worries about regulatory implications

Stakeholder Relationship Mapping (3-5 minutes)

Understand the dynamics:

Competing Priorities:

IT Security vs. Business Operations tension
Speed vs. Thoroughness in response
Transparency vs. Reputation management
Cost vs. Comprehensive solution

Information Flow:

Who reports to whom in crisis situations
What information can/cannot be shared
How decisions get made under pressure
External reporting requirements (regulatory, customer, media)

Practice NPC Voices (2 minutes)

Prepare to represent stakeholders authentically:

IT Director: Technical focus, resource constraints, professional reputation
Business Sponsor: Deadline pressure, revenue impact, competitive concerns
Compliance: Regulatory risk, documentation needs, liability exposure

Minutes 16-20: Hook Mastery and Opening Delivery

Hook Internalization (3 minutes)

Master your scenario’s opening hook:

Hook Components:

Professional Context: Industry situation players will recognize
Time Pressure: Specific deadline creating urgency
Vulnerability Creation: Why security was compromised
Current Symptoms: What’s happening NOW

Example Hook Structure:
“[Organization] is [specific timeframe] from [critical business deadline]. During [pressure situation], [stakeholder] approved [security-compromising decision]. Now [symptoms] are appearing…”

Opening Delivery Practice (2 minutes)

Rehearse your hook delivery:

Confident opening: Set professional context immediately
Natural flow: Connect business pressure to security compromise
Stakeholder voice: Speak from NPC perspective when needed
Investigation opening: End with symptoms that demand response

Practice Sequence:

Context: “MedTech Solutions has their biggest hospital go-live Monday morning…”
Pressure: “With the weekend deadline looming, the IT Director approved ‘critical security updates’…”
Compromise: “The updates came from a convincing vendor email during crunch time…”
Current state: “Now, 72 hours before go-live, the hospital is reporting system slowdowns…”
Investigation hook: “What would worry you most in this situation?”

Minutes 21-25: Context-Driven Question Development

Scenario-Specific Discovery Questions (Prepare 7-10)

Based on your scenario card’s professional context:

Context Integration Questions:

“Given [organization’s situation], what would worry you most about these symptoms?”
“In [industry context], who would feel this pressure first?”
“How would [primary stakeholder] be thinking about this situation?”
“What makes this timing particularly problematic for [organization]?”

Professional Experience Questions:

“Who here has experience with [industry context] pressures?”
“What would you know about [business process] that others might not?”
“How would your organization typically handle [stakeholder conflict]?”
“What constraints would [regulatory/business requirement] create for response?”

Stakeholder-Driven Investigation Questions (Prepare 7-10)

Explore NPC motivations and conflicts:

Stakeholder Perspective Questions:

“What would [IT Director] be thinking right now?”
“How would [Business Sponsor] want this handled?”
“What would worry [Compliance Officer] about this approach?”
“What would success look like from [stakeholder] perspective?”

Organizational Dynamics Questions:

“How do these competing priorities typically get resolved?”
“What would [stakeholder] say to justify [time pressure/security compromise]?”
“Who ultimately makes the call when [business vs security conflict] arises?”
“What information would you need to convince [resistant stakeholder]?”

Pressure-Driven Response Questions (Prepare 7-10)

Integrate business timeline and constraints:

Timeline Integration Questions:

“Given the [specific deadline], what are your response options?”
“How do you balance [time pressure] with [thoroughness requirements]?”
“What would you sacrifice to meet the [business deadline]?”
“How would you explain delays to [stakeholder] who’s expecting [business outcome]?”

Professional Reality Questions:

“What would this response look like in your real workplace?”
“How would you document this for [regulatory/compliance requirements]?”
“Who would you need to coordinate with for [complex response approach]?”
“What would you tell [customers/patients/public] if asked about this incident?”

Minutes 26-30: Scenario Adaptation and Confidence Building

Backup Scenario Plans

Prepare for common scenarios:

Alternative Scenario Cards:

If chosen scenario doesn’t resonate: [Secondary card from same category]
If group struggles with complexity: [Simpler organizational context]
If group advances quickly: [More complex stakeholder dynamics]
If professional context doesn’t match: [More familiar industry scenario]

Scenario Adaptation Techniques:

Simplify stakeholders: Focus on primary NPC only
Reduce time pressure: Extend deadline to reduce urgency
Increase engagement: Add stakeholder conflicts or competing priorities
Focus expertise: Emphasize aspects matching group’s professional background

Group Dynamic Challenges:

Silent group: Use stakeholder role-playing to encourage participation
Dominated discussion: Assign different NPCs to different participants
Technical disputes: Redirect to stakeholder perspective and business impact
Knowledge gaps: Focus on common-sense business reasoning over technical details

Emergency Protocols

Know your options when things go wrong:

Technology Failures:

Paper alternatives for all digital tools ready
Manual Network Security Status tracking method
Physical dice available as backup
Continue-regardless mindset

Participant Issues:

Late arrival integration technique
Early departure role transition method
Disruptive behavior de-escalation approach
Medical/personal emergency pause protocol

Scenario Card Confidence Building (Final 2 minutes)

Remind yourself:

The scenario card contains everything you need
Professional context creates immediate engagement
Stakeholder motivations drive natural conflict and discussion
Business pressure creates authentic urgency
Players will connect to the professional scenarios
Questions about context are more powerful than technical explanations
The scenario framework works - trust the cards

Pre-Session Final Checklist

30 Minutes Before Session

All materials arranged and tested
Personal preparation and mindset ready
Emergency contact information available

10 Minutes Before Session

Greet early arrivals, assess energy and expertise informally
Final materials check
Mental transition to facilitator mode
Review opening script if needed
Take deep breath - you’ve prepared well

Just Before Starting

Welcome energy and enthusiasm ready
Confidence in your preparation
Trust in the collaborative process
Excitement about the learning ahead
Remember: facilitation, not expertise

Common New IM Concerns and Responses

“What if I don’t know the technical details?”

Response: The scenario card provides the professional context. Ask about business impact and stakeholder concerns. Technical details emerge from group expertise.

“What if they ask me something I can’t answer?”

Response: “That’s interesting - from [stakeholder] perspective, how would that affect [business concern]?” Keep focus on scenario context.

“What if the scenario doesn’t match their industry?”

Response: Focus on universal business concepts: deadlines, stakeholder pressure, competing priorities. These translate across industries.

“What if the hook doesn’t engage them?”

Response: Ask “What situation would create similar pressure in your organization?” Let them adapt the scenario to their context.— pagetitle: “Adaptable Scenario Templates” —

Adaptable Scenario Templates

Universal Scenario Framework

Template Structure

Every scenario follows this adaptable pattern:

Organization Context (Collaborative or IM-chosen)
Initial Symptoms (2-3 observable problems)
Malmon Selection (Based on group and objectives)
Discovery Phase (Evidence leads to identification)
Investigation Phase (Scope and impact assessment)
Response Phase (Coordinated threat response)

Organization Context Templates

Healthcare Technology (MedTech Solutions)

Organization Profile

Size: 200 employees across 3 locations
Business: Patient management software and medical device integration
Critical Assets: EMR systems, patient databases, medical device networks
Regulatory Environment: HIPAA, FDA medical device regulations
Stakeholders: Hospital clients, patients, regulatory bodies

Built-in Stakes

Customer Trust: Financial data security and privacy
Regulatory Compliance: Bank examination, regulatory penalties
Financial Stability: Fraud prevention, operational continuity
Market Reputation: Community standing, competitor advantage
Legal Liability: Customer lawsuits, regulatory enforcement

Common Vulnerabilities

High-value target for financial crime
Complex legacy system integrations
Mobile banking and remote access points
Third-party vendor connections
Employee access to sensitive financial data

Sample Symptoms for This Context

“Online banking customers reporting unexpected ‘security verification’ requests”
“ATM network showing intermittent connectivity issues”
“Fraud detection system flagging unusual transaction patterns”

Manufacturing/Industrial (SteelCorp Manufacturing)

Organization Profile

Size: 400 employees, main facility plus 2 distribution centers
Business: Steel processing and fabrication for construction industry
Critical Assets: Production control systems, inventory management, safety systems
Regulatory Environment: OSHA, EPA, industry safety standards
Stakeholders: Construction customers, suppliers, employees, local community

Built-in Stakes

Worker Safety: Industrial control system integrity
Production Continuity: Manufacturing schedules, customer commitments
Environmental Compliance: Emission controls, waste management
Supply Chain Impact: Customer projects, economic ripple effects
Competitive Position: Trade secrets, production efficiency

Common Vulnerabilities

Air-gapped networks with occasional connectivity
Legacy industrial control systems
Integration between IT and operational technology (OT)
Remote monitoring and maintenance access
Limited cybersecurity awareness in OT environment

Sample Symptoms for This Context

“Production line computers showing decreased performance during shift changes”
“Maintenance staff reporting new software installations on HMI systems”
“Network monitoring detecting unexpected traffic between IT and OT networks”

Technology Services (CloudCorp)

Organization Profile

Size: 180 employees, distributed workforce with main office
Business: Cloud infrastructure and software development services
Critical Assets: Source code repositories, customer data, cloud infrastructure
Regulatory Environment: SOC 2, various customer compliance requirements
Stakeholders: Software clients, cloud customers, developers, investors

Built-in Stakes

Customer Data: Multi-tenant cloud environment security
Intellectual Property: Proprietary source code and algorithms
Service Availability: 99.9% uptime SLA commitments
Developer Productivity: CI/CD pipeline integrity
Competitive Advantage: Technical capabilities and customer trust

Common Vulnerabilities

Rapid development and deployment cycles
Developer tools and privileged access
Cloud infrastructure misconfigurations
Open source dependency vulnerabilities
Remote workforce security challenges

Sample Symptoms for This Context

“CI/CD pipeline showing unusual build failures and performance issues”
“Developers reporting unexpected authentication prompts in development tools”
“Cloud monitoring alerts showing abnormal resource consumption patterns”

Symptom Template Categories

Performance-Based Symptoms

Use when emphasizing system impact:

Template A: Gradual Degradation

“Systems running [X]% slower since [timeframe]”
“Users reporting increased application response times”
“Database queries taking longer than normal to complete”

Template B: Intermittent Issues

“Critical applications randomly crashing or freezing”
“Network connectivity dropping unexpectedly”
“File access sometimes failing with permission errors”

Template C: Resource Consumption

“Servers showing high CPU/memory usage during off-peak hours”
“Network bandwidth utilization higher than expected”
“Storage systems filling up faster than projected”

User-Reported Symptoms

Use when emphasizing human factor:

Template A: Security Warnings

“Users receiving unexpected [security update/authentication/verification] prompts”
“Help desk calls about suspicious email attachments or links”
“Reports of unfamiliar security software appearing on workstations”

Template B: Application Behavior

“Software behaving differently than usual”
“New icons or programs appearing on desktops”
“Browser redirecting to unexpected websites”

Template C: Communication Issues

“Email delivery delays or failures”
“VPN connections requiring multiple authentication attempts”
“Video conferencing quality degraded significantly”

System Administration Symptoms

Use when emphasizing technical detection:

Template A: Process and Service Anomalies

“Unknown processes consuming system resources”
“Services starting or stopping without administrative action”
“Scheduled tasks appearing that weren’t created by IT”

Template B: Network Anomalies

“Unusual outbound connections to unfamiliar IP addresses”
“Network traffic patterns different from baseline”
“DNS queries to suspicious or unusual domains”

Template C: File System Changes

“Files appearing in unexpected locations”
“System files modified without explanation”
“Backup systems showing inconsistent or missing data”

Malmon-Specific Scenario Adaptations

For Trojan-Type Malmons (GaboonGrabber, FakeBat)

Scenario Focus: Social Engineering + Technical Evasion

Organization Context Adaptation:

Emphasize user education and awareness programs
Include software distribution and update processes
Highlight trust relationships and authority structures

Symptom Selection:

User reports of software update requests
New executable files in unexpected locations
Performance issues suggesting hidden processes

Investigation Emphasis:

Social engineering analysis
Software authenticity verification
Process injection and masquerading detection

Response Focus:

User training and awareness improvements
Software distribution security enhancement
Behavioral analysis implementation

For Worm-Type Malmons (WannaCry, Code Red, Raspberry Robin)

Scenario Focus: Network Propagation + Rapid Spread

Organization Context Adaptation:

Emphasize network architecture and segmentation
Include patch management processes
Highlight interconnected systems and dependencies

Symptom Selection:

Multiple systems showing similar symptoms
Network performance degradation
Propagation vector evidence (USB, network shares, vulnerabilities)

Investigation Emphasis:

Network traffic analysis
Propagation vector identification
Vulnerable system assessment

Response Focus:

Network segmentation and isolation
Patch deployment strategies
Containment vs. business continuity trade-offs

For Ransomware-Type Malmons (LockBit)

Scenario Focus: Data Encryption + Business Impact

Organization Context Adaptation:

Emphasize backup and recovery capabilities
Include business continuity planning
Highlight regulatory and legal implications

Symptom Selection:

File access failures or corruption
Ransom demands or threatening messages
Backup system interference

Investigation Emphasis:

Data impact assessment
Backup integrity verification
Recovery time estimation

Response Focus:

Backup restoration strategies
Business continuity maintenance
Stakeholder communication

For APT-Type Malmons (Stuxnet, Noodle RAT)

Scenario Focus: Sophisticated Persistence + Attribution

Organization Context Adaptation:

Emphasize high-value assets and strategic importance
Include geopolitical or competitive context
Highlight advanced threat detection capabilities

Symptom Selection:

Subtle, long-term indicators
Advanced evasion technique evidence
Strategic asset targeting patterns

Investigation Emphasis:

Advanced persistent threat analysis
Attribution and threat actor profiling
Sophisticated technique identification

Response Focus:

Advanced threat hunting
Counter-intelligence considerations
Long-term security architecture improvements

Collaborative Context Creation

Group-Driven Organization Building

Instead of pre-selecting context, facilitate group creation:

Opening Questions

“What kind of organization should we protect today?”
“What would be devastating if compromised here?”
“What makes this organization unique or challenging to secure?”
“What regulatory or business constraints do we need to consider?”

Collaborative Filling

Let group decide:

Industry and business model
Size and geographic distribution
Critical assets and stakeholders
Regulatory environment
Competitive landscape

Benefits of Collaborative Creation

Immediate investment in scenario
Authentic expertise application
Natural constraints and considerations
Real-world relevance for participants

Adaptive Context Refinement

Adjust based on group responses:

If Group Chooses Familiar Industry

Build on their expertise
Add realistic complexities they know
Use their experience to drive discovery

If Group Chooses Unfamiliar Industry

Focus on universal security principles
Emphasize transferable concepts
Use common-sense reasoning

If Group Creates Complex Scenario

Embrace the complexity
Use their knowledge to manage details
Let expertise drive technical accuracy

Time-Adaptive Scenario Scaling

60-Minute Sessions

Condensed Format:

Setup: 8 minutes (faster character creation)
Discovery: 20 minutes (focus on identification)
Investigation: 15 minutes (scope assessment only)
Response: 15 minutes (key coordination decisions)
Closing: 2 minutes (quick debrief)

Scenario Adaptations:

Simpler organization context
Clearer symptoms with obvious leads
Streamlined Malmon choices (GaboonGrabber, FakeBat)
Focus on core learning objectives

90-Minute Sessions

Standard Format:

Setup: 13 minutes (full character development)
Discovery: 25 minutes (thorough investigation)
Investigation: 25 minutes (complete impact assessment)
Response: 25 minutes (coordinated team response)
Closing: 2 minutes (structured debrief)

Scenario Adaptations:

Rich organization context
Complex symptom patterns
Full Malmon capability exploration
Complete learning objective coverage

120-Minute Sessions

Extended Format:

Setup: 15 minutes (detailed character development)
Discovery: 30 minutes (comprehensive investigation)
Investigation: 35 minutes (deep impact analysis)
Response: 35 minutes (sophisticated coordination)
Closing: 5 minutes (detailed debrief and planning)

Scenario Adaptations:

Complex organization with multiple stakeholders
Layered symptom discovery
Advanced Malmon with evolution
Multiple learning objectives integration

Scenario Difficulty Scaling

Beginner Groups

Characteristics: Limited cybersecurity experience, mixed technical backgrounds

Scenario Adaptations:

Clear, obvious symptoms
Straightforward organization context
Simple Malmon with clear characteristics
Focus on basic concepts and collaboration

Example Scenario:

Organization: Small medical practice
Symptoms: Obvious fake software, clear performance issues
Malmon: GaboonGrabber
Focus: Social engineering awareness, basic incident response

Intermediate Groups

Characteristics: Some cybersecurity knowledge, varied expertise levels

Scenario Adaptations:

Mixed obvious and subtle symptoms
Realistic organization complexity
Moderate Malmon complexity
Balance of technical and business concepts

Example Scenario:

Organization: Regional bank with multiple branches
Symptoms: Performance issues plus network anomalies
Malmon: WannaCry or Gh0st RAT
Focus: Network security, coordinated response

Advanced Groups

Characteristics: Experienced cybersecurity professionals

Scenario Adaptations:

Subtle, realistic symptoms
Complex organization with multiple constraints
Sophisticated Malmon with advanced capabilities
Advanced technical concepts and attribution

Example Scenario:

Organization: Critical infrastructure provider
Symptoms: Subtle system changes, advanced evasion indicators
Malmon: Stuxnet or Noodle RAT
Focus: Advanced persistent threats, attribution analysis

Emergency Scenario Pivots

When Chosen Scenario Doesn’t Work

Symptoms Don’t Resonate

Quickly adapt symptoms to group interests
Ask what symptoms would concern them most
Let group suggest alternative indicators

Organization Context Fails

Switch to collaborative context creation
Ask group to suggest alternative organization
Focus on universal security principles

Malmon Too Complex/Simple

Have backup Malmon cards ready
Adapt complexity through questioning
Focus on appropriate learning level

Mid-Session Adaptations

Group Advances Too Quickly

Add evolution scenarios
Introduce additional complications
Explore advanced technical concepts

Group Struggles with Complexity

Simplify remaining phases
Focus on core concepts
Provide more guidance

Interest Shifts Dramatically

Follow group interest
Adapt scenario to their direction
Maintain learning objectives through different path

Remember: Templates provide structure, but group expertise and interest should drive content. The best scenarios emerge from collaborative adaptation rather than rigid adherence to predetermined frameworks.

Patient Safety: Medical device control systems
Privacy Compliance: Protected health information (PHI)
Business Continuity: Hospital operations depend on systems
Regulatory Penalties: HIPAA violations, FDA sanctions
Reputation Risk: Patient trust, industry credibility

Common Vulnerabilities

Legacy medical device integration
User convenience vs. security trade-offs
Interconnected systems across multiple hospitals
Limited downtime windows for security updates
Complex vendor relationships and access requirements

Sample Symptoms for This Context

“Hospital clients reporting EMR system slowdowns during peak hours”
“Medical device network showing unusual connectivity patterns”
“IT support receiving calls about ‘system update’ prompts on workstations”

Financial Services (RegionalBank)

Organization Profile

Size: 350 employees, main branch plus 12 locations
Business: Regional banking with commercial and personal services
Critical Assets: Core banking systems, customer databases, ATM networks
Regulatory Environment: FDIC, state banking commission, SOX compliance
Stakeholders: Customers, regulators, correspondent banks, employees

Built-in Stakes

Response: Use your emergency questions, lower the stakes, change the physical dynamic. Have specific techniques ready.

“What if I make mistakes?”

Response: Acknowledge briefly and move forward. “Let me correct that…” or “Actually, let’s think about this differently.” Mistakes become teaching moments.

Post-Session Reflection

Immediate Post-Session (5 minutes)

What scenario elements worked well?
Which stakeholder dynamics generated the best discussions?
How did the professional context resonate with the group?
What business pressure created the most authentic engagement?

Later Reflection (15 minutes)

Which scenario card components were most effective?
How could stakeholder development be improved?
What professional contexts would serve this group better?
What follow-up scenarios would build on this experience?

Planning Next Session

What scenario card adjustments for similar groups?
What industry contexts to explore?
What stakeholder dynamics to emphasize?
How to build scenario continuity across sessions?

Remember: Scenario cards provide the foundation for confident facilitation. Rich professional context creates authentic engagement. Trust the cards, trust the stakeholders, and trust the business pressure to drive learning.