Story-Driven Preparation Workflow

Enhanced Preparation System for Rich, Narrative-Driven M&M Sessions

The Story-Driven Preparation system builds on the proven “Lazy IM” philosophy while adding narrative depth that transforms technical cybersecurity scenarios into compelling, human-centered learning experiences. This system provides multiple preparation tiers to match available time and experience levels.

Philosophy: Narrative + Flexibility = Engagement

Core Principles

  • Story serves learning: Narrative elements enhance rather than replace cybersecurity education
  • Collaboration over control: Rich backstories enable player agency rather than constraining it
  • Adaptation over perfection: Good enough preparation that adapts beats perfect preparation that doesn’t
  • Questions drive discovery: Compelling scenarios create better questions, which create better learning

The Story-Driven Advantage

Traditional Approach: “Your organization has been compromised by GaboonGrabber. Investigate.”
Story-Driven Approach: “MedTech Solutions is 72 hours from their biggest client go-live ever. St. Mary’s Hospital is depending on the new EMR system Monday morning. Yesterday, during the final push, several IT staff received ‘critical security updates’ that seemed legitimate given the pressure. Now computers are running slowly and the project timeline is at risk.”

The Difference:

  • Players immediately understand what’s at stake
  • The timing explains why the attack succeeded
  • Multiple stakeholders create realistic complexity
  • Business pressure creates natural urgency
  • Investigation has clear direction and purpose

Preparation Tier System

2-Minute Emergency Prep: Crisis Management

When you need to facilitate immediately with minimal preparation:

30 Seconds: Quick Context

Choose one familiar organizational context: - Healthcare organization during system implementation - Financial services during regulatory examination
- Manufacturing company during production deadline - Technology company during major release

30 Seconds: Scenario Card Selection

Pick pre-made scenario card matching: - Beginner groups: GaboonGrabber healthcare or education scenario - Mixed groups: WannaCry financial services or manufacturing scenario - Advanced groups: Stuxnet industrial or critical infrastructure scenario

60 Seconds: Mental Preparation

  • Review chosen scenario card quickly
  • Identify 2-3 key NPCs and their motivations
  • Remember core secrets that explain attack success
  • Trust the framework and player expertise

Emergency Mantra: “Rich scenario + good questions + player collaboration = successful session”

5-Minute Standard Prep: Confident Facilitation

The enhanced version of proven 5-minute preparation with narrative focus:

Minute 1: Scenario Card Selection and Customization

  • Choose scenario card matching group expertise and interests
  • Scan organizational context for relevance to participants
  • Note adaptation guidance for high/low expertise groups
  • Identify potential customizations based on group background

Minute 2: NPC Motivation Review

  • Review 3-4 key NPCs and their current emotional states
  • Understand what each NPC knows and doesn’t know about incident
  • Identify potential conflicts between different NPC priorities
  • Plan how NPCs will reveal information during discovery

Minute 3: Hook and Pressure Internalization

  • Read scenario hook carefully and understand the “WHY NOW”
  • Internalize time pressure and deadline creating urgency
  • Consider how pressure affects different organizational stakeholders
  • Plan opening that immediately establishes stakes and timeline

Minute 4: Villain Plan and Evolution Strategy

  • Review 3-stage villain plan progression
  • Identify which stage is current when scenario begins
  • Understand evolution triggers and escalation opportunities
  • Plan how to reveal threat progression during investigation

Minute 5: Opening Questions and Confidence Check

  • Prepare 3-5 opening questions that connect to scenario narrative
  • Review adaptation notes for group-specific considerations
  • Ensure scenario materials are accessible and organized
  • Mental transition to storytelling facilitator mode

Key Questions to Prepare:

  • “Given what’s at stake for [organization], what would worry you most?”
  • “How would [specific pressure/deadline] affect your investigation approach?”
  • “What would [key NPC] be most concerned about right now?”

15-Minute Deep Prep: Rich Narrative Development

For experienced IMs who want to create memorable, highly engaging sessions:

Minutes 1-3: Scenario Customization and Enhancement

  • Select base scenario card and identify customization opportunities
  • Adapt organizational context to match group interests or expertise
  • Enhance NPC backgrounds with details relevant to participant experience
  • Consider industry-specific or current event connections

Minutes 4-6: NPC Relationship Development

  • Map relationships between different NPCs and their competing priorities
  • Plan how NPC interactions will create realistic organizational dynamics
  • Develop dialogue patterns and character voices for key stakeholders
  • Identify opportunities for NPC evolution during scenario progression

Minutes 7-9: Investigation Path Planning

  • Map multiple investigation approaches for different player roles
  • Identify key revelation moments that maintain engagement and momentum
  • Plan how secrets will be discovered through different investigation paths
  • Prepare contingency information for unexpected player directions

Minutes 10-12: Business Impact and Stakeholder Complexity

  • Develop realistic business consequences and trade-off decisions
  • Plan stakeholder pressure points that create difficult choices
  • Consider regulatory, legal, and reputational implications
  • Prepare communication challenges between technical and business perspectives

Minutes 13-15: Adaptation Strategy and Contingency Planning

  • Plan specific adaptations for different group energy levels
  • Prepare alternative revelation sequences based on group progress
  • Identify opportunities to increase or decrease complexity mid-session
  • Final confidence check and material organization

Enhanced Question Bank: - “How would you explain this technical finding to [specific business stakeholder]?” - “Given [specific constraint], what trade-offs would you consider?” - “What would [NPC] say if they knew what you’ve discovered?” - “How does this incident change the relationship between [different stakeholders]?”

30-Minute Master Prep: Full Custom Scenario Development

For creating completely customized scenarios or preparing for high-stakes sessions:

Minutes 1-5: Foundation and Objectives

  • Define specific learning objectives and desired outcomes
  • Choose or develop organizational context matching group precisely
  • Identify key cybersecurity concepts to be explored through narrative
  • Establish session scope and complexity level

Minutes 6-10: Organizational Development

  • Create detailed organizational background including culture and dynamics
  • Develop stakeholder ecosystem with realistic competing priorities
  • Establish regulatory environment and compliance pressures
  • Design business operations and critical dependency mapping

Minutes 11-15: Character and Relationship Architecture

  • Develop 5-6 detailed NPCs with rich backgrounds and motivations
  • Create relationship web with conflicts, alliances, and communication patterns
  • Plan character evolution arcs throughout scenario progression
  • Prepare character-specific dialogue and concern patterns

Minutes 16-20: Narrative Structure and Pacing

  • Design compelling opening hook with immediate stakes and urgency
  • Plan 3-5 major revelation moments with investigation triggers
  • Develop multiple story paths based on different player approaches
  • Create satisfying resolution opportunities for various response strategies

Minutes 21-25: Technical Integration and Accuracy

  • Ensure technical details align with chosen Malmon capabilities
  • Verify attack progression reflects realistic threat actor behavior
  • Plan technical investigation opportunities for different expertise levels
  • Prepare advanced concepts and attribution elements for expert groups

Minutes 26-30: Session Flow and Facilitation Strategy

  • Plan time management and pacing for each scenario phase
  • Prepare transition techniques between discovery, investigation, and response
  • Identify energy management strategies and engagement techniques
  • Final preparation review and facilitator confidence building

Integration with Existing M&M Systems

Scenario Card Integration Points

With Role-Based Investigation

Detective Role Integration: - NPCs provide investigative leads through interviews and information sharing - Organizational context creates realistic evidence and artifact patterns - Business pressure creates time constraints affecting investigation thoroughness

Protector Role Integration: - Stakeholder concerns highlight systems and data requiring protection - Organizational dependencies identify critical assets and continuity requirements - Regulatory environment defines compliance and reporting obligations

Tracker Role Integration: - Business operations create network traffic patterns and baseline behavior - Organizational context explains expected vs. anomalous system activity
- Stakeholder communication creates legitimate network usage patterns

With Malmon Mechanical Properties

Type Effectiveness Enhancement: - Organizational vulnerabilities explain why specific attack types succeeded - Business context creates realistic constraints on different response approaches - Stakeholder priorities influence acceptability of various containment strategies

Evolution Triggers: - Business pressure creates realistic time constraints affecting response thoroughness - Organizational culture influences likelihood of comprehensive threat eradication - Stakeholder resistance may create conditions allowing threat evolution

Question Framework Evolution

Discovery Phase Questions

Technical Focus Enhanced with Narrative: - “Given the pressure [organization] was under, what would make staff more likely to click on suspicious emails?” - “How would [specific deadline/pressure] affect normal security awareness?” - “What organizational factors would make this attack particularly effective?”

Role-Specific Questions with Organizational Context: - “Detective: What would [key stakeholder] know about when these problems started?” - “Protector: Given [critical business function], what systems absolutely cannot go down?” - “Communicator: How would you explain this incident to [external stakeholder]?”

Investigation Phase Questions

Impact Assessment with Business Reality: - “If [specific deadline] is missed, what are the real consequences?” - “How would [regulatory requirement] affect your investigation approach?” - “What would [key customer/partner] do if they knew about this incident?”

Scope Analysis with Stakeholder Complexity: - “Which [business function] would be most vulnerable to this type of attack?” - “How would different departments react to the containment measures you’re considering?” - “What organizational politics might complicate your response strategy?”

Response Phase Questions

Strategy Development with Realistic Constraints: - “Given [specific organizational constraint], what response options are actually feasible?” - “How would you manage [stakeholder conflict] while responding to this incident?” - “What communication strategy would maintain [key relationship] during response?”

Implementation with Business Impact: - “If your response strategy affects [critical business function], how would you handle that?” - “What would [regulatory body/key customer] expect to see in your response?” - “How would you balance security thoroughness with [business continuity requirement]?”

Advanced Story-Driven Techniques

Dynamic NPC Development

The Evolving Informant

Start with NPCs who have limited information, but develop deeper knowledge as players ask good questions:

Initial State: “Sarah (IT Director) seems stressed about the project deadline but doesn’t understand the security implications.”

After Good Questions: “Sarah reveals that management has been pressuring IT to approve software quickly, and that she’s been getting pressure to ‘just make it work’ for the hospital go-live.”

After Investigation: “Sarah admits she bypassed normal approval processes yesterday and is terrified this will cost her job and put patients at risk.”

The Resistant Stakeholder

Create NPCs who initially resist security measures but can become allies through good relationship management:

Initial Resistance: “Mike (COO) demands to know why ‘IT problems’ are threatening the client implementation and wants immediate solutions.”

Educational Opportunity: “After learning about potential patient safety implications, Mike becomes an advocate for thorough response even if it delays go-live.”

Alliance Formation: “Mike offers to communicate with hospital leadership about delays and becomes a key supporter for security investment.”

Pressure Escalation Techniques

The Ticking Clock Approach

Use specific deadlines to create mounting pressure throughout the session:

Opening: “Hospital go-live scheduled for Monday morning - 72 hours away” Mid-Session: “Hospital just called - they’re starting final testing tomorrow and need systems stable” Crisis Point: “Breaking: Hospital threatening to switch vendors if systems aren’t ready by Sunday”

The Stakeholder Cascade

Introduce additional stakeholders as pressure mounts:

Initial Pressure: Internal team coordination Escalation 1: Key customer becomes involved Escalation 2: Regulatory body asks questions Escalation 3: Media picks up story

Investigation Enhancement Strategies

The Artifact Trail

Design physical and digital evidence that tells a story: - Email chains showing increasing desperation about deadlines - System logs showing corners cut during high-pressure periods - Chat messages revealing organizational culture and pressure points

The Witness Interview Progression

Structure NPC information revelation to build narrative tension:

  1. Surface Information: What everyone knows
  2. Department Secrets: What specific teams know
  3. Leadership Insights: What executives know but haven’t shared
  4. External Intelligence: What outside stakeholders reveal

Scenario Card Development Workshop

Creating Custom Scenario Cards

Step 1: Learning Objective Definition

  • What specific cybersecurity concepts should this scenario teach?
  • What organizational dynamics should participants experience?
  • What collaboration and communication skills should be developed?
  • How does this connect to real-world professional challenges?

Step 2: Organizational Context Research

  • What industries are relevant to your participant group?
  • What regulatory environments create interesting constraints?
  • What business pressures create realistic urgency and stakes?
  • What organizational dynamics create authentic complexity?

Step 3: Malmon-Context Alignment

  • How would this Malmon specifically target this type of organization?
  • What organizational vulnerabilities would enable this attack to succeed?
  • What business pressures would create opportunities for social engineering?
  • How would organizational culture affect detection and response?

Step 4: NPC Ecosystem Design

  • What organizational roles would be involved in incident response?
  • What competing priorities would create realistic conflicts?
  • What information would different roles have about the incident?
  • How would different personalities react to crisis situations?

Step 5: Narrative Arc Planning

  • What hook explains why this attack is happening now?
  • What pressure creates urgency throughout the scenario?
  • What secrets explain how the attack succeeded?
  • What villain plan creates escalation and evolution opportunities?

Quality Assurance and Testing

Narrative Coherence Check

  • Does the story make sense from all stakeholder perspectives?
  • Are character motivations realistic and understandable?
  • Does the timeline create natural urgency without feeling artificial?
  • Do the stakes justify the level of engagement you’re seeking?

Educational Effectiveness Check

  • Will this scenario teach the intended cybersecurity concepts?
  • Are there enough investigation opportunities for all player roles?
  • Does the scenario balance challenge with achievability?
  • Will participants leave with applicable professional insights?

Facilitation Utility Check

  • Can you facilitate this scenario confidently with your current knowledge?
  • Are there clear adaptation strategies for different group types?
  • Does the scenario provide enough material for your intended session length?
  • Are there natural break points and transition opportunities?

Implementation and Community Development

Building Your Scenario Card Library

Start with Adaptations

  • Begin by customizing existing scenario cards for your specific groups
  • Gradually develop original organizational contexts relevant to your community
  • Share successful adaptations with other IMs for feedback and improvement
  • Document what works well and what needs refinement

Contribute to Community Knowledge

  • Share effective scenario cards with the M&M community
  • Document successful facilitation techniques and group responses
  • Provide feedback on other IMs’ scenario cards and preparation approaches
  • Participate in scenario development workshops and collaborative creation

Long-Term Skill Development

Storytelling Skills for IMs

  • Practice creating compelling hooks and maintaining narrative tension
  • Develop character voice and dialogue skills for NPC portrayals
  • Learn to balance narrative structure with collaborative discovery
  • Build confidence in improvisation and adaptive storytelling

Business Context Expertise

  • Develop familiarity with various industry sectors and their unique challenges
  • Learn about regulatory environments and compliance requirements
  • Understand organizational dynamics and stakeholder relationship management
  • Stay current with business pressures and market dynamics affecting cybersecurity

Advanced Facilitation Techniques

  • Master multi-threaded narrative management and pacing
  • Develop skills in conflict facilitation and stakeholder representation
  • Learn to adapt complex scenarios in real-time based on group needs
  • Build expertise in connecting narrative elements to professional development

Remember: Story-driven preparation enhances the proven M&M framework rather than replacing it. The goal is confident, flexible facilitation that creates memorable learning experiences through compelling narrative and authentic organizational dynamics.