Network Security Status Tracker

Overview

The Network Security Status Tracker is a simple but powerful tool for Incident Masters to maintain session momentum and provide clear feedback on team performance. This visual tracking system helps both facilitators and players understand the evolving security situation and the impact of their decisions.

How to Use This Tool

Before the Session

1. Print one copy for yourself as the IM - this is your tracking reference
2. Consider making the status visible to players via whiteboard or projected display
3. Review status definitions to ensure consistent application during the session
4. Start with realistic initial conditions - not all sessions begin at “Secure”

During the Session

• Update immediately when player actions warrant status changes
• Announce changes to maintain tension: “Your quick response has improved our IR Effectiveness to ‘Good’”
• Use as pacing tool - status changes create natural session rhythm
• Document key moments for post-session discussion and learning reinforcement

Status Change Triggers

Network Security Status Changes: - Secure → Monitored: First threat indicators discovered - Monitored → Compromised: Active malicious activity confirmed - Compromised → Critical: Threat spreads or achieves major objectives - Critical → Compromised: Effective containment actions implemented - Any status → Previous: Successful remediation or false positive identified

IR Effectiveness Tracking: - Improve status when team demonstrates good communication, role clarity, or collaborative problem-solving - Maintain status during steady, competent performance - Reduce status when team shows confusion, poor communication, or role conflicts

Quick Reference Tracking Sheet

Print this section and use during sessions to track the evolving security situation.

---

NETWORK SECURITY STATUS TRACKER

Session Info:

• Scenario: ____________________
• Malmon: ____________________
  
• Date: ____________________

---

Current Status (Check one box per track)

Network Security:

• Secure - Normal operations, no known threats
• Monitored - Suspicious activity detected, investigation ongoing
• Compromised - Active threat confirmed, containment in progress
  
• Critical - Major breach, significant damage possible

Incident Response Effectiveness:

• Poor - Confusion, poor communication, unclear roles
• Fair - Basic coordination, some role clarity
• Good - Effective teamwork, clear communication
• Excellent - Seamless collaboration, optimal response

Business Operations Impact:

• Normal - No operational disruption
• Stressed - Some pressure but functioning
• Impacted - Noticeable operational effects
• Disrupted - Significant business interruption

---

Session Notes

Current Threat Indicators:

_________________________________________________
_________________________________________________
_________________________________________________

Key Player Discoveries:

_________________________________________________
_________________________________________________
_________________________________________________

Pending Team Decisions:

_________________________________________________
_________________________________________________
_________________________________________________

Status Change Log:

Time: _____ Network: _________ → _________
Reason: _____________________________________

Time: _____ IR Effectiveness: _____ → _____
Reason: _____________________________________

Time: _____ Business Ops: _______ → _______
Reason: _____________________________________

---

Quick IM Reminders

• Update based on player actions, not arbitrary timing
• Show status changes to players - make consequences visible
• Use status to drive tension - “We just moved to Critical…”
• Reward effective teamwork with improved IR Effectiveness
• Keep it simple - quick updates, stay focused on facilitation