NPC Development Guide

Creating Compelling Non-Player Characters for M&M Scenarios

Non-Player Characters (NPCs) transform cybersecurity incident response scenarios from technical exercises into rich, human-centered stories. Well-developed NPCs provide information, create complications, and drive narrative tension while teaching realistic organizational dynamics.

The Role of NPCs in M&M Sessions

Information Sources

NPCs provide crucial context about:

How the incident unfolded from different organizational perspectives
Hidden pressures and constraints affecting response options
Organizational culture and decision-making processes
Stakeholder concerns that complicate technical solutions

Conflict Generators

NPCs create realistic tension through:

Competing priorities that force difficult trade-offs
Different risk tolerances and time pressures
Organizational politics that complicate coordination
External stakeholder demands that limit response options

Learning Catalysts

NPCs facilitate education by:

Representing different organizational roles and perspectives
Demonstrating how cybersecurity impacts various business functions
Creating opportunities for players to practice stakeholder communication
Illustrating real-world constraints on ideal security responses

NPC Archetype Library

Executive Leadership Archetypes

The Results-Driven CEO

Typical Concerns:

Revenue impact and customer confidence
Competitive advantage and market position
Regulatory compliance and legal liability
Public relations and company reputation

Common Motivations:

Minimize business disruption at all costs
Protect shareholder value and quarterly results
Maintain customer trust and market credibility
Avoid regulatory scrutiny and legal exposure

Typical Dialogue Patterns:

“What’s the bottom-line impact of this incident?”
“How quickly can we get back to normal operations?”
“Do we need to notify customers or can we handle this quietly?”
“What’s this going to cost us in lost revenue?”

Relationship Dynamics:

Often impatient with technical details
Focused on business outcomes over security process
May pressure for faster resolution than security allows
Needs clear, non-technical communication about risks and options

Scenario Applications:

Creates time pressure for rapid incident resolution
Forces discussion of business continuity vs. security thoroughness
Represents stakeholder communication challenges
Illustrates C-level perspective on cybersecurity investments

The Compliance-Focused COO

Typical Concerns:

Regulatory reporting requirements and deadlines
Audit compliance and documentation standards
Process improvement and operational efficiency
Risk management and liability mitigation

Common Motivations:

Ensure all regulatory obligations are met properly
Document comprehensive response for audit purposes
Maintain operational processes and procedure adherence
Minimize regulatory penalties and compliance violations

Typical Dialogue Patterns:

“What are our reporting requirements for this type of incident?”
“How do we document our response for the auditors?”
“Are we following established incident response procedures?”
“What compliance violations might result from this breach?”

Relationship Dynamics:

Values thorough documentation and process adherence
May slow incident response to ensure proper procedures
Strong ally for comprehensive security investment
Provides regulatory expertise and compliance guidance

Scenario Applications:

Adds regulatory complexity to technical response decisions
Creates tension between speed and compliance thoroughness
Represents organizational commitment to security processes
Illustrates connection between security and regulatory frameworks

IT Leadership Archetypes

The Overwhelmed IT Director

Typical Concerns:

System stability and user productivity
Resource constraints and competing priorities
Staff workload and technical debt management
Balancing security with usability demands

Common Motivations:

Keep systems running and users productive
Manage competing demands with limited resources
Avoid blame for security incidents or system failures
Demonstrate IT value to organizational leadership

Typical Dialogue Patterns:

“We’ve been telling management we need security investment for months”
“How do we contain this without shutting down critical systems?”
“My team is already stretched thin with other priorities”
“Users are going to complain if we restrict access too much”

Relationship Dynamics:

Often defensive about security gaps due to resource constraints
Valuable source of technical context and system knowledge
May have insights about organizational security culture
Balances security concerns with operational demands

Scenario Applications:

Provides realistic resource and time constraints
Illustrates common IT security challenges and trade-offs
Creates opportunities to discuss security investment priorities
Represents technical expertise while highlighting organizational limitations

The Security-Conscious CISO

Typical Concerns:

Threat landscape evolution and organizational preparedness
Security awareness and culture development
Incident response effectiveness and lessons learned
Strategic security architecture and long-term planning

Common Motivations:

Protect organizational assets and reputation through robust security
Build security awareness and culture throughout organization
Demonstrate security program value to executive leadership
Continuously improve security posture based on threat intelligence

Typical Dialogue Patterns:

“This incident validates the threats I’ve been warning about”
“What can we learn from this to prevent future attacks?”
“How does this change our risk assessment and security priorities?”
“What additional security controls should we implement?”

Relationship Dynamics:

Strong advocate for comprehensive security response
Provides strategic security perspective and threat intelligence
May conflict with business leaders over security vs. productivity
Valuable mentor for technical security analysis and planning

Scenario Applications:

Represents security expertise and strategic thinking
Creates opportunities for threat intelligence and attribution discussion
Illustrates tension between security thoroughness and business demands
Provides pathway for advanced security concepts and techniques

End User Representative Archetypes

The Frustrated Department Head

Typical Concerns:

Department productivity and work completion
Staff morale and work environment quality
Customer service and external relationship management
Meeting deadlines and performance objectives

Common Motivations:

Minimize disruption to department operations and staff productivity
Maintain quality customer service and external relationships
Protect staff from blame and additional work burden
Complete critical projects and meet important deadlines

Typical Dialogue Patterns:

“My team can’t afford downtime during our busy season”
“How long before we can get back to normal operations?”
“Are you saying my staff did something wrong?”
“We have customers depending on us to deliver on time”

Relationship Dynamics:

Often focused on immediate operational impact over security implications
May resist security measures that reduce productivity or convenience
Valuable source of information about user behavior and organizational culture
Represents broader organizational perspective beyond IT and security

Scenario Applications:

Illustrates business impact of security incidents and responses
Creates realistic pressure for rapid resolution
Provides opportunities to discuss user education and awareness
Represents stakeholder communication and change management challenges

The Tech-Savvy Power User

Typical Concerns:

Technology efficiency and advanced feature utilization
System performance and capability optimization
Integration between different tools and platforms
Innovation and technology adoption opportunities

Common Motivations:

Maximize personal and team productivity through technology
Explore new tools and techniques for competitive advantage
Maintain access to advanced features and system capabilities
Share technology knowledge and mentor colleagues

Typical Dialogue Patterns:

“I noticed unusual network behavior yesterday but didn’t think much of it”
“Can I help with the technical investigation?”
“What security tools should we be using to prevent this?”
“How can we detect similar attacks in the future?”

Relationship Dynamics:

Often helpful source of technical information and system knowledge
May have insights about attack vectors and user behavior patterns
Generally supportive of security measures that don’t reduce functionality
Can serve as ally for security awareness and culture development

Scenario Applications:

Provides technical insights from user perspective
Creates opportunities to discuss security awareness and user education
Illustrates value of engaged users in security monitoring and response
Represents positive organizational security culture and engagement

External Stakeholder Archetypes

The Demanding Client

Typical Concerns:

Service availability and performance standards
Data security and privacy protection
Contract compliance and service level agreements
Competitive alternatives and vendor reliability

Common Motivations:

Ensure contracted services meet agreed-upon standards
Protect own organization’s data and operations
Maintain competitive advantage through reliable vendor relationships
Minimize risk of secondary impact from vendor security incidents

Typical Dialogue Patterns:

“When will our systems be back online?”
“How does this affect our data security and privacy?”
“Are you meeting the service levels specified in our contract?”
“Should we be looking for alternative service providers?”

Relationship Dynamics:

Creates external pressure for rapid incident resolution
May threaten business relationships if not satisfied with response
Represents reputational and financial consequences of security incidents
Often lacks understanding of technical security complexities

Scenario Applications:

Adds external stakeholder pressure to incident response decisions
Illustrates business consequences of security incidents
Creates opportunities to discuss customer communication during incidents
Represents contract and legal considerations in security response

The Regulatory Examiner

Typical Concerns:

Compliance with applicable regulations and standards
Documentation and evidence of proper security controls
Organizational commitment to regulatory compliance
Industry-wide security posture and threat management

Common Motivations:

Ensure organization meets all applicable regulatory requirements
Verify effectiveness of security controls and incident response procedures
Protect consumers and industry stability through regulatory oversight
Identify systemic risks and improvement opportunities

Typical Dialogue Patterns:

“What evidence do you have of proper incident response procedures?”
“How do you ensure this type of incident won’t happen again?”
“Are you meeting all notification and reporting requirements?”
“What changes will you make to prevent similar incidents?”

Relationship Dynamics:

Adds regulatory complexity and potential penalties to incident response
Requires detailed documentation and evidence of proper procedures
May be supportive of security investment and improvement efforts
Represents long-term consequences and organizational accountability

Scenario Applications:

Illustrates regulatory dimensions of cybersecurity incidents
Creates pressure for comprehensive documentation and analysis
Represents long-term security culture and process improvement opportunities
Adds complexity to incident response communication and reporting

NPC Relationship Mapping

Common Organizational Dynamics

IT vs. Business Leadership

Typical Tensions:

Security thoroughness vs. business continuity demands
Technology investment priorities vs. other business needs
Risk tolerance differences and time pressure management
Communication gaps between technical and business perspectives

Scenario Applications:

Forces players to navigate competing organizational priorities
Illustrates realistic constraints on ideal security responses
Creates opportunities to practice stakeholder communication
Demonstrates need for security and business alignment

Internal vs. External Stakeholder Pressure

Typical Tensions:

Internal process adherence vs. external delivery commitments
Regulatory compliance vs. customer satisfaction demands
Comprehensive security response vs. rapid business recovery
Documentation requirements vs. immediate action needs

Scenario Applications:

Adds realism and complexity to incident response decisions
Creates multiple audience communication challenges
Illustrates business consequences of security incident response
Demonstrates stakeholder management during crisis situations

Department vs. Organization-Wide Perspectives

Typical Tensions:

Individual department productivity vs. organizational security
Localized convenience vs. enterprise-wide consistency
Department-specific needs vs. standardized security controls
Short-term operational demands vs. long-term security investment

Scenario Applications:

Represents diverse organizational perspectives and priorities
Creates opportunities for collaborative problem-solving
Illustrates security culture development challenges
Demonstrates need for organization-wide security awareness

NPC Evolution During Scenarios

Information Revelation Patterns

Early Scenario (Discovery Phase):

NPCs provide initial context and symptom information
Characters represent different organizational perspectives
Limited technical knowledge shared, focus on impact and concerns
Establish relationship dynamics and competing priorities

Mid Scenario (Investigation Phase):

NPCs reveal additional details based on player questions
Characters show evolving understanding of incident severity
Technical and business implications become clearer
Relationship tensions may increase as stakes become apparent

Late Scenario (Response Phase):

NPCs contribute to solution development and implementation
Characters adapt to new information and changing circumstances
Collaboration or conflict patterns become more pronounced
Final character arcs demonstrate learning and growth

Emotional Arc Development

Beginning: Confusion, concern, initial blame or defensiveness Middle: Growing understanding, increased urgency, collaborative problem-solving End: Resolution, lessons learned, commitment to improvement

NPC Integration Techniques

During Character Creation

Ask players about their real-world organizational experience
Connect NPC roles to players’ professional backgrounds when appropriate
Use NPCs to represent perspectives not covered by player roles
Establish NPC relationships and dynamics before scenario begins

During Discovery Phase

Use NPCs to provide symptom context and initial information
Have NPCs represent different theories about incident cause
Let NPCs demonstrate varying levels of technical understanding
Use NPC dialogue to introduce organizational constraints and pressures

During Investigation Phase

Have NPCs reveal additional information based on player questions
Use NPCs to represent different stakeholder concerns and priorities
Let NPCs evolve their understanding as investigation progresses
Create NPC conflicts that mirror real organizational tensions

During Response Phase

Use NPCs to provide resource commitments or constraints
Have NPCs represent implementation challenges and opportunities
Let NPCs demonstrate organizational change and learning
Use NPC feedback to validate player response strategies

Advanced NPC Techniques

The Unreliable Narrator

NPCs who have incomplete or incorrect information
Characters who are defensive or blame-shifting
Stakeholders with hidden agendas or competing priorities
Representatives who don’t fully understand technical implications

Applications:

Creates realistic information uncertainty
Forces players to verify and cross-reference information
Illustrates organizational communication challenges
Demonstrates need for multiple information sources

The Evolving Ally

NPCs who initially resist security measures but learn through scenario
Characters who become advocates for security investment
Stakeholders who develop understanding of security importance
Representatives who facilitate organizational change

Applications:

Demonstrates security awareness development
Illustrates successful stakeholder engagement techniques
Represents organizational learning and culture development
Provides positive reinforcement for collaborative approaches

The Constraint Creator

NPCs who represent realistic resource limitations
Characters who enforce regulatory or policy requirements
Stakeholders who have competing priorities and time pressures
Representatives who introduce external pressures and complications

Applications:

Adds realism to incident response scenarios
Creates opportunities to practice prioritization and trade-off decisions
Illustrates real-world constraints on ideal security responses
Demonstrates need for creativity and flexibility in security solutions

NPC Development Worksheets

Quick NPC Creation (2 minutes per character)

Character Name: ______________________
Organizational Role: ______________________
Primary Concern: ______________________
Current Emotional State: ______________________
What They Know: ______________________
What They Don’t Know: ______________________
Key Dialogue Pattern: ______________________

Detailed NPC Development (5 minutes per character)

Character Background:

Name and role within organization
Professional background and expertise areas
Relationship to cybersecurity and technology
Personal stakes and concerns in incident resolution

Scenario Integration:

What information can this character provide?
What complications or conflicts might they create?
How might they evolve during the scenario?
What learning opportunities do they represent?

Dialogue Preparation:

Key phrases or concerns they would express
Questions they would ask during incident response
Resistance or support patterns they would demonstrate
Communication style and organizational perspective

NPC Relationship Matrix

NPC Pair	Potential Conflicts	Shared Interests	Communication Patterns
CEO & CISO	Speed vs. Thoroughness	Organizational Protection	Strategic vs. Technical
IT Director & Dept Head	Security vs. Productivity	System Functionality	Technical vs. Operational
Compliance & IT	Process vs. Efficiency	Regulatory Adherence	Policy vs. Implementation

Integration with Scenario Cards

Scenario Card NPC Planning

Each scenario card should include 3-4 NPCs that:

Represent different organizational perspectives
Create realistic conflicts and complications
Provide information needed for investigation
Demonstrate stakeholder communication challenges

Adaptation for Different Groups

High-Expertise Groups:

Add NPCs with advanced technical knowledge
Include characters representing sophisticated organizational politics
Create NPCs with industry-specific expertise and concerns

Beginner Groups:

Focus on clear, relatable organizational roles
Emphasize basic business and security concept connections
Use NPCs to teach fundamental cybersecurity principles

Mixed Groups:

Balance technical and non-technical NPC perspectives
Use NPCs to facilitate peer teaching opportunities
Create characters that bridge different experience levels

Remember: NPCs are tools for learning facilitation, not rigid characters to be portrayed. They should adapt to serve your group’s learning needs while maintaining realistic organizational dynamics and human motivations.