Organizational Context Library

Quick-Reference Cards for Realistic Business Scenarios

This library provides ready-to-use organizational contexts designed for rapid session preparation. Each context card contains everything needed to create authentic business environments that enhance M&M learning through realistic constraints and stakeholder dynamics.

Why Organizational Context Matters

πŸ“‹

Context Benefits

LEARNING ENHANCEMENT

πŸ”„ Preparation Steps

  • Business realism creates authentic decision-making pressure
  • Stakeholder dynamics teach communication and coordination
  • Regulatory constraints mirror real-world response limitations
  • Time pressures force realistic trade-offs and prioritization

πŸ“¦ Required Materials

  • Authentic organizational backgrounds
  • Realistic business pressures and deadlines
  • Complex stakeholder relationships
  • Regulatory and compliance requirements

πŸ’‘ Pro Tips

Choose contexts familiar to your group when possible - expertise enhances engagement

πŸ”§ Common Issues

If context doesn't resonate, ask group to suggest industry modifications

How to Use Context Cards

πŸ“‹

Context Selection

SESSION PREP GUIDE

πŸ”„ Preparation Steps

  • Match context to group expertise and interests
  • Ensure regulatory environment aligns with learning goals
  • Verify stakeholder dynamics support intended collaboration
  • Confirm business pressures create appropriate urgency

πŸ“¦ Required Materials

  • Group background assessment
  • Learning objective priorities
  • Time constraints and session format
  • Malmon selection requirements

πŸ’‘ Pro Tips

Mixed industry groups benefit from universally understood contexts like healthcare or financial services

πŸ”§ Common Issues

When context fails to engage, pivot to collaborative context creation with group input

Healthcare Industry Contexts

MedTech Solutions: Healthcare Technology Company

πŸ“‹

MedTech Solutions

HEALTHCARE CONTEXT

πŸ”„ Preparation Steps

  • 200 employees, B2B healthcare software
  • EMR integration for 15 hospital systems
  • HIPAA compliance and FDA device regulations
  • Client go-live deadlines create time pressure

πŸ“¦ Required Materials

  • Patient health information (PHI)
  • Medical device networks
  • EMR integration systems
  • Regulatory audit documentation

πŸ’‘ Pro Tips

Perfect for scenarios involving user convenience vs security trade-offs - healthcare providers resist security that slows patient care

πŸ”§ Common Issues

If group unfamiliar with healthcare, focus on universal concepts: customer deadlines, regulatory pressure, user resistance to security

Key Stakeholders:

  • IT Director (Sarah Chen): Balancing client implementation deadlines with security requirements
  • Hospital CIO (David Kim): Demanding system reliability for patient safety, threatens contract cancellation for delays
  • Compliance Officer (Jennifer Park): Focused on HIPAA audit preparation, resistant to changes that affect documentation

Realistic Pressures:

  • Hospital EMR go-live Monday morning (3-day deadline)
  • HIPAA audit next month requiring perfect compliance documentation
  • $2M annual contract renewal depends on successful implementation
  • Patient safety concerns if medical device integration fails

Common Vulnerabilities:

  • Legacy medical devices with limited security updates
  • Staff bypass security during high-pressure implementation periods
  • Multiple third-party medical device integrations
  • Emergency access procedures that skip normal authentication

Regional Hospital System: St. Mary’s Healthcare Network

πŸ“‹

St. Mary's Healthcare

HOSPITAL CONTEXT

πŸ”„ Preparation Steps

  • 2,500 employees, 24/7 patient care operations
  • 150,000+ patient records and life-critical systems
  • Joint Commission accreditation and CMS quality reporting
  • Flu season creates surge capacity and staffing pressure

πŸ“¦ Required Materials

  • Electronic health records
  • Life-critical medical devices
  • Pharmacy and medication systems
  • Emergency department operations

πŸ’‘ Pro Tips

Ideal for scenarios where business continuity cannot be interrupted - patients' lives depend on system availability

πŸ”§ Common Issues

For non-healthcare groups, emphasize universal concepts: 24/7 operations, life-safety systems, regulatory inspections

Key Stakeholders:

  • Chief Medical Officer: Prioritizes patient safety above all other considerations
  • IT Director: Balances system availability with security requirements
  • Emergency Department Manager: Needs immediate access during medical emergencies
  • Compliance Officer: Ensures Joint Commission and CMS regulatory compliance

Financial Services Industry Contexts

RegionalBank: Community Banking Institution

πŸ“‹

RegionalBank

FINANCIAL CONTEXT

πŸ”„ Preparation Steps

  • 350 employees, 12 branch locations
  • 45,000 customers and 95M USD annual revenue
  • FDIC insurance and federal banking regulations
  • Quarterly regulatory reporting creates deadline pressure

πŸ“¦ Required Materials

  • Customer financial data
  • Core banking systems
  • ATM and payment networks
  • Regulatory compliance systems

πŸ’‘ Pro Tips

Perfect for social engineering scenarios - customer impersonation and trust exploitation are realistic attack vectors

πŸ”§ Common Issues

If group unfamiliar with banking, focus on customer trust, regulatory pressure, and 24/7 transaction processing demands

Key Stakeholders:

  • Branch Manager: Focused on customer service and relationship building
  • IT Security Officer: Balancing convenience with fraud prevention
  • Compliance Director: Managing regulatory examinations and audit requirements
  • Customer: Expecting convenient access while trusting financial data protection

Manufacturing and Industrial Contexts

SteelCorp Manufacturing: Industrial Steel Processing

πŸ“‹

SteelCorp Manufacturing

INDUSTRIAL CONTEXT

πŸ”„ Preparation Steps

  • 400 employees, steel processing and fabrication
  • Industrial control systems (ICS/SCADA/PLCs)
  • OSHA safety and EPA environmental regulations
  • Construction season creates production deadline pressure

πŸ“¦ Required Materials

  • Production control systems
  • Worker safety monitoring
  • Supply chain and ERP systems
  • Environmental compliance data

πŸ’‘ Pro Tips

Excellent for OT/IT security scenarios - air-gapped networks, legacy systems, and safety-critical operations

πŸ”§ Common Issues

For non-industrial groups, emphasize safety systems, production deadlines, and physical security integration

Key Stakeholders:

  • Production Manager: Focused on meeting customer delivery deadlines
  • Safety Director: Ensuring worker protection and OSHA compliance
  • Plant Engineer: Managing industrial control systems and equipment
  • Operations VP: Balancing cost control with safety and security investments

Technology Services Contexts

CloudCorp: Software Development and Cloud Services

Organizational Profile

  • Industry: Software development and cloud infrastructure services
  • Size: 180 employees distributed across remote workforce with headquarters office
  • Business Model: Software as a Service (SaaS), cloud infrastructure, custom development
  • Revenue: $25M annually from subscription services and professional services
  • Geographic Scope: Global customer base with primary markets in North America and Europe

Critical Assets and Stakes

Intellectual Property:

  • Proprietary software source code and development frameworks
  • Customer application data and configuration settings
  • Trade secrets including algorithms and business process innovations
  • Patent applications and technical documentation

Customer Data and Trust:

  • Multi-tenant cloud environment serving 500+ business customers
  • Customer application data across various industries and sensitivity levels
  • Authentication and identity management systems
  • Service level agreement (SLA) commitments and uptime guarantees

Development and Operations Infrastructure:

  • Continuous integration and continuous deployment (CI/CD) pipeline systems
  • Cloud infrastructure spanning multiple geographic regions and availability zones
  • Developer tools and privileged access management systems
  • Monitoring, logging, and incident response automation systems

Regulatory Environment

Data Protection and Privacy:

  • General Data Protection Regulation (GDPR) for European customer data
  • California Consumer Privacy Act (CCPA) for California resident data
  • Various industry-specific data protection requirements based on customer sectors
  • International data transfer and localization requirements

Cloud Security and Compliance:

  • Service Organization Control (SOC) 2 Type II compliance and auditing
  • International Organization for Standardization (ISO) 27001 certification
  • Payment Card Industry Data Security Standard (PCI DSS) for payment processing
  • Cloud Security Alliance (CSA) framework implementation and assessment

Software Development Security:

  • Secure coding practices and vulnerability management programs
  • Open source software licensing and security vulnerability monitoring
  • Third-party component risk management and supply chain security
  • Software bill of materials (SBOM) generation and maintenance

Seasonal Pressures and Critical Periods

Product Release Cycles:

  • Quarterly major release planning and development sprints
  • Customer upgrade coordination and change management
  • Security patch deployment and emergency response procedures
  • Performance optimization and scalability improvement initiatives

Compliance Audit Season:

  • Annual SOC 2 audit preparation and evidence collection
  • Customer security questionnaire responses and due diligence support
  • Third-party security assessment coordination and remediation planning
  • Regulatory compliance documentation and process improvement

Conference and Marketing Events:

  • Industry conference participation and product demonstration preparation
  • Customer success story development and case study publication
  • Competitive differentiation messaging and security capability highlighting
  • Thought leadership content creation and expert positioning

Common Vulnerabilities

Remote Workforce Security:

  • Distributed employee access to sensitive systems and customer data
  • Personal device usage and bring-your-own-device (BYOD) security challenges
  • Home network security and isolation from corporate systems
  • Social engineering risks targeting remote workers

Rapid Development and Deployment:

  • Pressure to deliver features quickly potentially compromising security review
  • Limited time for comprehensive security testing and vulnerability assessment
  • Developer access to production systems for troubleshooting and support
  • Open source component integration without thorough security evaluation

Cloud Infrastructure Complexity:

  • Multi-cloud environment configuration and security control consistency
  • Infrastructure as code (IaC) security and configuration management
  • Container and microservices security architecture and monitoring
  • API security and third-party integration vulnerability management

Educational Institution Contexts

StateU: State University System

Organizational Profile

  • Industry: Higher education and academic research
  • Size: 25,000 students, 3,500 faculty and staff across main campus plus 3 satellite locations
  • Business Model: State funding, tuition and fees, research grants, auxiliary services
  • Revenue: $850M annually from all funding sources
  • Geographic Scope: Statewide student population with international students and research collaborations

Critical Assets and Stakes

Student Information Systems:

  • Student records including academic transcripts and personal information
  • Financial aid and billing information systems
  • Student health records and counseling service data
  • Residence hall and campus security information

Research and Intellectual Property:

  • Faculty research data including federally funded projects
  • Collaborative research partnerships with industry and government
  • Patent applications and technology transfer opportunities
  • Graduate student research and dissertation data

Academic and Administrative Operations:

  • Learning management systems supporting online and hybrid courses
  • Library systems and digital resource collections
  • Campus infrastructure including dormitories, dining, and transportation
  • Alumni relations and fundraising systems

Regulatory Environment

Student Privacy Protection:

  • Family Educational Rights and Privacy Act (FERPA) student record protection
  • Health Insurance Portability and Accountability Act (HIPAA) for student health services
  • Gramm-Leach-Bliley Act (GLBA) for student financial information
  • State privacy laws and student consumer protection regulations

Research Compliance:

  • Federal research security requirements for government-funded projects
  • Export control regulations for international research collaborations
  • Institutional Review Board (IRB) requirements for human subjects research
  • Animal care and use regulations for biological and medical research

Campus Safety and Security:

  • Clery Act crime reporting and campus safety disclosure requirements
  • Title IX sexual harassment and discrimination investigation procedures
  • Americans with Disabilities Act (ADA) accessibility and accommodation requirements
  • Emergency response and crisis management planning and communication

Seasonal Pressures and Critical Periods

Academic Calendar Events:

  • Semester start and end periods with high system usage and support demands
  • Registration periods with peak student information system utilization
  • Graduation and commencement events requiring comprehensive event security
  • Summer session and conference hosting requiring temporary access management

Research Grant Cycles:

  • Federal funding proposal deadlines and competitive application processes
  • Research compliance audits and regulatory inspection preparation
  • Technology transfer and commercialization opportunity evaluation
  • International collaboration security review and approval processes

Budget and Planning Cycles:

  • State budget approval and allocation processes
  • Tuition and fee setting with public input and approval requirements
  • Capital project planning and construction management
  • Technology infrastructure investment and modernization planning

Common Vulnerabilities

Open Academic Environment:

  • Academic freedom principles balancing security with information sharing
  • Diverse user population with varying technical skills and security awareness
  • Extensive guest access for conferences, events, and research collaborations
  • Multiple network environments serving different constituencies and security requirements

Resource and Funding Constraints:

  • State funding limitations affecting cybersecurity investment priorities
  • Competition between academic program funding and infrastructure investment
  • Deferred maintenance and technology refresh cycles
  • Limited specialized cybersecurity staff with higher education experience

Complex Stakeholder Environment:

  • Faculty governance and shared decision-making processes
  • Student privacy advocacy and transparency expectations
  • Alumni and donor relationship management and stewardship
  • Community partnership and public service mission requirements

Scenario Context Selection Guide

Matching Context to Learning Objectives

For Social Engineering and User Awareness Training

Recommended Contexts:

  • Healthcare organizations with life-critical systems
  • Educational institutions with diverse user populations
  • Financial services with customer trust dependencies
  • Any organization during high-pressure periods or major transitions

Why These Work:

  • High stakes create realistic motivation for attackers
  • Diverse user populations provide realistic social engineering targets
  • Time pressures create conditions where users bypass security controls
  • Trust relationships create opportunities for manipulation and deception

For Network Security and Infrastructure Protection

Recommended Contexts:

  • Manufacturing with operational technology integration
  • Financial services with real-time transaction processing
  • Healthcare with life-critical device networks
  • Technology companies with distributed cloud infrastructure

Why These Work:

  • Complex network architectures mirror real-world challenges
  • Business continuity requirements create realistic constraints
  • Regulatory compliance adds complexity to network security decisions
  • Integration between different systems creates realistic attack vectors

For Incident Response and Crisis Management

Recommended Contexts:

  • Any organization during critical business periods
  • Industries with strict regulatory requirements
  • Organizations with multiple stakeholder groups
  • Contexts with clear business continuity dependencies

Why These Work:

  • Time pressures force realistic trade-off decisions
  • Multiple stakeholders create communication and coordination challenges
  • Regulatory requirements add complexity to incident response procedures
  • Business continuity needs create realistic constraints on security responses

Adapting Contexts for Different Groups

For Technical Audiences

  • Emphasize technical complexity and sophisticated attack vectors
  • Include detailed infrastructure and system architecture considerations
  • Focus on advanced threat detection and response techniques
  • Add regulatory and compliance technical requirements

For Business Audiences

  • Emphasize business impact and stakeholder communication challenges
  • Include financial and reputational risk considerations
  • Focus on decision-making and resource allocation trade-offs
  • Add strategic planning and long-term risk management aspects

For Mixed Audiences

  • Balance technical and business considerations
  • Use contexts that require collaboration between different expertise areas
  • Include opportunities for peer teaching and knowledge sharing
  • Focus on communication and translation between technical and business perspectives

Context Customization Guidelines

Industry Familiarity

  • Choose industries familiar to your audience when possible
  • Adapt technical details to match group expertise levels
  • Use regulatory requirements familiar to participants
  • Include stakeholder dynamics relevant to audience experience

Organizational Complexity

  • Scale complexity to match group sophistication and available time
  • Balance realism with learning objectives and session constraints
  • Include appropriate level of organizational politics and dynamics
  • Match resource constraints to realistic organizational environments

Scenario Integration

  • Ensure context matches chosen Malmon capabilities and attack vectors
  • Create natural evolution paths that maintain engagement
  • Include realistic investigation leads and response options
  • Provide adaptation guidance for different group types and time constraints

Quick Selection Reference

Context Selection by Learning Objective

πŸ“‹

Social Engineering Focus

CONTEXT SELECTOR

πŸ”„ Preparation Steps

  • Choose high-trust environments
  • User convenience vs security conflicts
  • Time pressure situations
  • Diverse user populations

πŸ“¦ Required Materials

  • Healthcare (patient care urgency)
  • Financial (customer service pressure)
  • Educational (open environment)
  • Any organization during crunch periods

πŸ’‘ Pro Tips

Healthcare and financial contexts provide natural social engineering scenarios with realistic trust relationships

πŸ”§ Common Issues

If chosen context doesn't create user pressure, add business deadlines or regulatory audit timing

πŸ“‹

Network/Infrastructure Focus

CONTEXT SELECTOR

πŸ”„ Preparation Steps

  • Choose complex technical environments
  • Business continuity dependencies
  • Legacy system integration challenges
  • Multiple network segments

πŸ“¦ Required Materials

  • Manufacturing (OT/IT integration)
  • Financial (transaction processing)
  • Healthcare (medical devices)
  • Technology (cloud infrastructure)

πŸ’‘ Pro Tips

Industrial contexts excel for OT/IT scenarios, financial for real-time transaction security

πŸ”§ Common Issues

For less technical groups, emphasize business impact over technical complexity

Emergency Adaptation Guide

πŸ“‹

Context Doesn't Resonate

TROUBLESHOOTING

πŸ”„ Preparation Steps

  • Ask group to suggest familiar industry
  • Focus on universal business concepts
  • Let participants modify stakeholder roles
  • Shift to collaborative context creation

πŸ“¦ Required Materials

  • Group expertise assessment
  • Universal pressure points (deadlines, regulations, customer demands)
  • Flexible stakeholder roles
  • Adaptation mindset

πŸ’‘ Pro Tips

Any context can work if you focus on universal concepts: deadlines, stakeholders, regulatory pressure, customer expectations

πŸ”§ Common Issues

When all else fails, ask 'What organization would create the most realistic pressure for your group?' and adapt

Remember: Organizational context should enhance learning through realistic constraints and stakeholder dynamics. The best contexts feel authentic to participants while supporting collaborative discovery and practical skill development.