Code Red Scenario: University Web Services Crisis

Code Red Scenario: University Web Services Crisis

Pacific Northwest University: 35,000 students, 5,000 staff

• Code Red

STAKES

Student services continuity + Academic research data + University reputation + Internet infrastructure responsibility

HOOK

Pacific Northwest University is in the middle of fall semester registration when their IIS web servers hosting departmental websites, student services, and research portals begin displaying defacement messages instead of academic content. Simultaneously, network monitoring shows the university’s servers generating massive scanning traffic – campus infrastructure is now participating in coordinated internet-wide attacks, threatening both student services and the university’s role as a responsible internet citizen.

PRESSURE

• Fall registration period – student services disruption affects 35,000 students + University reputation and internet responsibility at stake

FRONT • 90 minutes • Intermediate

Pacific Northwest University: 35,000 students, 5,000 staff

• Code Red

NPCs

• Dr. Patricia Hoffman (Chief Information Officer): Managing critical student services during registration period, must balance immediate campus needs with university's responsibility as internet infrastructure provider
• Alex Ramirez (Web Services Director): Overseeing 200+ departmental websites that are now defaced, trying to restore services while preventing further worm propagation
• Susan Lee (Student Services Director): Managing registration crisis as student portal and course management systems display defacement messages instead of critical academic services
• Dr. James Walker (Computer Science): Analyzing the worm's technical behavior and coordinating with academic security research community about internet-wide threat

SECRETS

• University delayed IIS patches during registration period to avoid disrupting critical student services
• Academic departments host research data and student services on shared vulnerable web server infrastructure
• University's infected servers are now participating in coordinated attacks against other educational and government institutions

Code Red Scenario: University Web Services Crisis

University of Northern England: 28,000 students, 4,000 staff

• Code Red

STAKES

Student services continuity + Academic research data + University reputation + Internet infrastructure responsibility

HOOK

University of Northern England is in the middle of autumn term registration when their IIS web servers hosting departmental websites, student services, and research portals begin displaying defacement messages instead of academic content. Simultaneously, network monitoring shows the university’s servers generating massive scanning traffic – campus infrastructure is now participating in coordinated internet-wide attacks, threatening both student services and the university’s role as a responsible internet citizen.

PRESSURE

• Autumn term registration period – student services disruption affects 28,000 students + University reputation and internet responsibility at stake

FRONT • 90 minutes • Intermediate

University of Northern England: 28,000 students, 4,000 staff

• Code Red

NPCs

• Professor Helen Cartwright (Chief Information Officer): Managing critical student services during registration period, must balance immediate campus needs with university's responsibility as internet infrastructure provider
• Rajesh Kumar (Web Services Director): Overseeing 200+ departmental websites that are now defaced, trying to restore services while preventing further worm propagation
• Fiona MacLeod (Student Services Director): Managing registration crisis as student portal and course management systems display defacement messages instead of critical academic services
• Dr. Thomas Osei (Computer Science): Analyzing the worm's technical behavior and coordinating with academic security research community about internet-wide threat

SECRETS

• University delayed IIS patches during registration period to avoid disrupting critical student services
• Academic departments host research data and student services on shared vulnerable web server infrastructure
• University's infected servers are now participating in coordinated attacks against other educational and government institutions

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Code Red University Web Services Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Code Red University Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It’s Monday morning during Pacific Northwest University’s peak fall registration period, and 35,000 students are trying to access course registration, student services, and departmental websites. Hundreds of university web pages are now displaying foreign-language defacement messages instead of academic content – ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ Network administrators discover that the university’s IIS servers are generating massive scanning traffic, and external organizations are reporting attacks originating from campus IP addresses.”

“It’s Monday morning during University of Northern England’s peak autumn term registration period, and 28,000 students are trying to access course registration, student services, and departmental websites. Hundreds of university web pages are now displaying foreign-language defacement messages instead of academic content – ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ Network administrators discover that the university’s IIS servers are generating massive scanning traffic, and external organizations are reporting attacks originating from campus IP addresses.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “Student registration portal displaying defacement message instead of course enrollment system”
• “Departmental websites across campus showing identical ‘Hacked By Chinese!’ messages”
• “University IIS servers generating massive internet scanning traffic overwhelming network bandwidth”
• “Academic research portals and faculty websites simultaneously compromised”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Web server forensics reveal buffer overflow exploitation targeting university’s IIS infrastructure
• Academic network analysis shows memory-only infection spreading across departmental web servers
• Registration system logs indicate compromise occurred during peak student access period

Protector System Analysis:

Note🛡️ Protector System Analysis

• Campus network monitoring reveals infected servers participating in coordinated internet attacks
• Web server vulnerability assessment shows delayed patch management affecting critical student services
• Academic data integrity analysis indicates potential research data exposure through compromised web services

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• Internet traffic analysis reveals university infrastructure participating in global worm propagation
• Academic network communication patterns show coordination with other infected educational institutions
• Research collaboration network analysis indicates potential spread to partner universities and government labs

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Student communications regarding registration disruption and academic service availability
• Faculty concerns about research data exposure and academic website compromise
• Academic community coordination with other universities experiencing similar attacks

Mid-Scenario Pressure Points:

• Hour 1: 10,000 students unable to complete course registration due to defaced enrollment portal
• Hour 2: Faculty research data becomes inaccessible through compromised departmental websites
• Hour 3: Other universities report that Pacific Northwest University servers are attacking their infrastructure
• Hour 4: University administration faces media questions about academic data security and internet responsibility

Mid-Scenario Pressure Points:

• Hour 1: 8,000 students unable to complete course registration due to defaced enrollment portal
• Hour 2: Faculty research data becomes inaccessible through compromised departmental websites
• Hour 3: Other universities report that University of Northern England servers are attacking their infrastructure
• Hour 4: University administration faces media questions about academic data security and internet responsibility

Evolution Triggers:

• If response exceeds 8 hours, university misses registration deadline affecting student academic progress
• If worm containment fails, infection spreads to other universities through academic collaboration networks
• If patch deployment is delayed, university continues participating in coordinated attacks against educational infrastructure

Resolution Pathways:

Technical Success Indicators:

• Emergency patch deployment stops worm propagation across university web infrastructure
• Student services restored through secure backup systems while maintaining registration deadline
• University servers removed from coordinated attack network through network isolation and system restart

Business Success Indicators:

• Academic operations maintained with minimal impact on student registration and faculty research
• University reputation protected through transparent communication and responsible incident response
• Academic community relationships maintained through coordinated response and information sharing

Learning Success Indicators:

• Team understands university’s dual role as service provider and internet infrastructure participant
• Participants recognize academic institution cybersecurity responsibilities during critical operational periods
• Group demonstrates coordination between academic mission priorities and internet security obligations

Common IM Facilitation Challenges:

If Academic Mission Is Ignored:

*“Your technical analysis is excellent, but Susan Lee reports that 10,000 students can’t register for classes and the registration deadline is tomorrow. How do you balance worm response with critical academic deadlines?”

If Internet Responsibility Is Missed:

*“While you’re restoring student services, Dr. James Walker just received calls from three other universities saying that Pacific Northwest University servers are attacking their infrastructure. How does this change your response approach?”

If Research Data Impact Is Overlooked:

*“Alex Ramirez discovered that some of the compromised servers host faculty research data and collaboration portals. How do you assess whether sensitive academic research has been exposed?”

Common IM Facilitation Challenges:

If Academic Mission Is Ignored:

*“Your technical analysis is excellent, but Fiona MacLeod reports that 8,000 students can’t register for courses and the deadline is tomorrow. How do you balance worm response with critical academic deadlines?”

If Internet Responsibility Is Missed:

*“While you’re restoring student services, Dr. Thomas Osei just received calls from three other universities saying that University of Northern England servers are attacking their infrastructure. How does this change your response approach?”

If Research Data Impact Is Overlooked:

*“Rajesh Kumar discovered that some of the compromised servers host faculty research data and collaboration portals. How do you assess whether sensitive academic research has been exposed?”

Success Metrics for Session:

• Team understands academic institution’s role in internet infrastructure security
• Student services and academic mission maintained as priority throughout incident response
• Coordinated response demonstrates understanding of educational community cybersecurity responsibility
• Learning includes university web services security and academic data protection
• Response strategy balances immediate academic needs with internet infrastructure obligations

Template Compatibility

Quick Demo (35-40 min)

• Rounds: 1
• Actions per Player: 1
• Investigation: Guided
• Response: Pre-defined
• Focus: Use the “Hook” and “Initial Symptoms” to quickly establish university registration crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing worm propagation patterns and academic institution infrastructure vulnerabilities.

Lunch & Learn (75-90 min)

• Rounds: 2
• Actions per Player: 2
• Investigation: Guided
• Response: Pre-defined
• Focus: This template allows for deeper exploration of academic institution cybersecurity challenges. Use the full set of NPCs to create realistic registration period pressures. The two rounds allow Code Red to spread affecting more academic services, raising stakes. Debrief can explore balance between student services and internet infrastructure responsibility.

Full Game (120-140 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing student registration deadlines, faculty research data, academic reputation, and internet security responsibilities. The three rounds allow for full narrative arc including worm’s academic-institution-specific impact and coordinated attack participation.

Advanced Challenge (150-170 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Complexity: Add red herrings (e.g., legitimate university system updates causing unrelated service disruptions). Make containment ambiguous, requiring players to justify academic-facing decisions with incomplete information. Remove access to reference materials to test knowledge recall of worm behavior and university infrastructure security principles.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “Web server forensics reveal active exploitation of an IIS buffer overflow vulnerability across servers hosting 200+ departmental websites, student services, and research portals. A memory-resident infection is spreading autonomously through Pacific Northwest University‘s infrastructure, defacing academic websites with ’HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ messages during peak fall registration period.”

Clue 2 (Minute 10): “Campus network monitoring reveals infected university servers generating massive internet scanning traffic and participating in coordinated attacks against other educational and government institutions. Registration system logs indicate the compromise occurred during peak student access when IIS patches were delayed to avoid disrupting critical academic services affecting 35,000 students.”

Clue 3 (Minute 15): “Internet traffic analysis shows Pacific Northwest University’s infected servers attacking other universities through academic collaboration networks. Web server vulnerability assessment reveals 10,000 students unable to complete course registration with the deadline approaching, and faculty research data is potentially exposed through compromised departmental web services.”

Pre-Defined Response Options

Option A: Emergency IIS Patching & Academic Network Isolation

• Action: Immediately deploy emergency IIS patches to all university web servers, isolate infected systems from internet to stop coordinated attacks, restore student services from secure backups, coordinate with academic security community about internet threat.
• Pros: Completely stops worm propagation and ends university participation in internet attacks; enables rapid student service restoration for registration deadline; demonstrates responsible internet citizenship.
• Cons: Requires complete web infrastructure patching affecting all 200+ departmental websites temporarily; some academic services experience brief downtime during registration period.
• Type Effectiveness: Super effective against Worm type malmons like Code Red; memory-only worm is eliminated through reboot after patching.

Option B: Prioritized Service Restoration & Student Focus

• Action: Quarantine confirmed infected servers, implement prioritized restoration for student registration and critical academic services first, maintain research services for unaffected departments while accelerating university-wide remediation.
• Pros: Allows continued student registration and academic operations for high-priority services; protects registration deadline and student academic progress.
• Cons: Risks continued worm propagation in non-prioritized infrastructure; university continues participating in internet attacks during selective restoration; may affect research data security.
• Type Effectiveness: Moderately effective against Worm threats; reduces but doesn’t eliminate worm presence or attack participation.

Option C: Mass Server Reboot & Academic Coordination

• Action: Perform coordinated university-wide server reboot to eliminate memory-only worm, rapidly restore all academic services simultaneously from backups, coordinate with other affected universities about shared response and internet security communication.
• Pros: Fastest technical solution eliminating worm through memory clearing; demonstrates academic community leadership through coordinated response and information sharing.
• Cons: Requires complete academic web infrastructure downtime affecting all students and faculty simultaneously during registration period; doesn’t address underlying IIS vulnerability enabling future reinfection.
• Type Effectiveness: Partially effective against Worm malmon type; eliminates current infection but leaves vulnerability for rapid reinfection.

Guided Investigation Clues

Clue 1 (Minute 5): “Web server forensics reveal active exploitation of an IIS buffer overflow vulnerability across servers hosting 200+ departmental websites, student services, and research portals. A memory-resident infection is spreading autonomously through University of Northern England‘s infrastructure, defacing academic websites with ’HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ messages during peak autumn term registration period.”

Clue 2 (Minute 10): “Campus network monitoring reveals infected university servers generating massive internet scanning traffic and participating in coordinated attacks against other educational and government institutions. Registration system logs indicate the compromise occurred during peak student access when IIS patches were delayed to avoid disrupting critical academic services affecting 28,000 students.”

Clue 3 (Minute 15): “Internet traffic analysis shows University of Northern England’s infected servers attacking other universities through academic collaboration networks. Web server vulnerability assessment reveals 8,000 students unable to complete course registration with the deadline approaching, and faculty research data is potentially exposed through compromised departmental web services.”

Pre-Defined Response Options

Option A: Emergency IIS Patching & Academic Network Isolation

• Action: Immediately deploy emergency IIS patches to all university web servers, isolate infected systems from internet to stop coordinated attacks, restore student services from secure backups, coordinate with academic security community about internet threat.
• Pros: Completely stops worm propagation and ends university participation in internet attacks; enables rapid student service restoration for registration deadline; demonstrates responsible internet citizenship.
• Cons: Requires complete web infrastructure patching affecting all 200+ departmental websites temporarily; some academic services experience brief downtime during registration period.
• Type Effectiveness: Super effective against Worm type malmons like Code Red; memory-only worm is eliminated through reboot after patching.

Option B: Prioritized Service Restoration & Student Focus

• Action: Quarantine confirmed infected servers, implement prioritized restoration for student registration and critical academic services first, maintain research services for unaffected departments while accelerating university-wide remediation.
• Pros: Allows continued student registration and academic operations for high-priority services; protects registration deadline and student academic progress.
• Cons: Risks continued worm propagation in non-prioritized infrastructure; university continues participating in internet attacks during selective restoration; may affect research data security.
• Type Effectiveness: Moderately effective against Worm threats; reduces but doesn’t eliminate worm presence or attack participation.

Option C: Mass Server Reboot & Academic Coordination

• Action: Perform coordinated university-wide server reboot to eliminate memory-only worm, rapidly restore all academic services simultaneously from backups, coordinate with other affected universities about shared response and internet security communication.
• Pros: Fastest technical solution eliminating worm through memory clearing; demonstrates academic community leadership through coordinated response and information sharing.
• Cons: Requires complete academic web infrastructure downtime affecting all students and faculty simultaneously during registration period; doesn’t address underlying IIS vulnerability enabling future reinfection.
• Type Effectiveness: Partially effective against Worm malmon type; eliminates current infection but leaves vulnerability for rapid reinfection.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Discovery & Identification (30-35 min)

Fall registration period at Pacific Northwest University – 35,000 students depend on online registration, course management, and academic services. Web Services Director Alex Ramirez watches as 200+ departmental websites begin displaying defacement messages. CIO Dr. Patricia Hoffman receives alarming network data: university IIS servers are aggressively scanning the internet, and external organizations report that campus infrastructure is attacking their systems.

Open investigation guidance: All four Key Discovery Paths are available. Teams typically uncover the unpatched IIS buffer overflow (delayed during registration period to avoid service disruption), the worm’s autonomous propagation across the university’s flat network connecting 200+ departmental web servers, and the discovery that campus infrastructure is participating in internet-wide attacks against other academic and government institutions.

If the team stalls: “Dr. James Walker from Computer Science analyzes the worm’s behavior and reports: ‘This is automated – it’s exploiting the same IIS buffer overflow that Microsoft patched weeks ago. Our servers are scanning the entire internet for vulnerable targets. We’re not just victims, we’re attackers.’”

Facilitation questions:

• “University servers are attacking MIT, Stanford, Berkeley, and government institutions – what does ‘internet citizenship’ mean for a university’s response obligations?”
• “35,000 students need online registration this week – how do you balance student services with stopping the university’s participation in global attacks?”
• “Academic departments host their own servers independently with no centralized IT control – how do you remediate 200+ servers across 50 autonomous departments?”

Round 1→2 Transition

The investigation reveals campus-wide IIS worm infection across 200+ departmental servers. Student Services Director Susan Lee reports escalating student complaints as registration and course systems display defacement messages. CERT/CC contacts the university: campus infrastructure is participating in coordinated attacks against critical internet infrastructure, and federal agencies are monitoring academic institutions’ response.

Round 2: Federal Pressure & Academic Culture Conflict (35 min)

If teams chose campus network isolation: All 200+ departmental websites offline during registration week. 35,000 students unable to register for classes or access course materials. Faculty research requiring internet connectivity is blocked. Academic culture backlash: “IT is destroying academic freedom with excessive security measures.”

If teams chose phased departmental patching: Manual patch deployment across 50 autonomous departments is proving slow – only 30% completed. Multiple departments (Computer Science, Engineering, Physics) refuse emergency server access during active research projects. Worm continues propagating through unpatched servers, and university continues participating in internet-wide attacks.

New developments beyond Round 1: CERT/CC issues emergency advisory: the worm contains a hardcoded DDoS trigger targeting government websites. Every infected university server will participate in the coordinated attack. FBI, CISA contacts Dr. Patricia Hoffman: “Your university has significant infected infrastructure. What’s your remediation timeline?” Student newspaper runs story about university cybersecurity failures and participation in global attacks.

Facilitation questions:

• “Federal agencies are pressuring you to remediate immediately, but academic departments refuse emergency server access during research – how do you resolve this?”
• “The university’s academic culture values openness and departmental autonomy – security restrictions feel like an attack on academic freedom. How do you frame security as supporting rather than opposing the academic mission?”
• “Manual patching of 300+ servers across 50 autonomous departments takes 5-7 days, but the DDoS trigger date is 4 days away – what’s your triage strategy?”

Round 2→3 Transition

The DDoS trigger date passes – the university either largely prevented participation through aggressive remediation, or campus infrastructure contributed to the attack. Either way, the incident exposed fundamental infrastructure weaknesses: distributed infrastructure with no centralized management, academic culture resisting security controls, and manual processes that don’t scale. Focus shifts to long-term institutional change.

Round 3: Long-Term Academic Cybersecurity & Institutional Change (35 min)

Three weeks post-incident. The immediate crisis is resolved but the institutional implications are profound. The incident demonstrated that the university’s decentralized IT model – 50 autonomous departments managing their own servers – created an environment where a single vulnerability compromised the entire campus. Dr. Patricia Hoffman faces a defining question: how do you modernize academic cybersecurity without destroying the departmental autonomy that defines university culture?

Investigation focus areas:

• Centralized security architecture – Alex Ramirez proposes: centralized vulnerability management across all departmental servers, automated patch deployment, network segmentation between departments, campus-wide security monitoring. Requires organizational authority that doesn’t currently exist
• Academic culture engagement – Dr. James Walker leads faculty advisory committee on cybersecurity policy: balancing research openness with security requirements, defining acceptable use policies that respect academic freedom
• Federal relationship management – Federal agencies assessing university’s internet citizenship; positive response demonstration could lead to academic sector cybersecurity partnership opportunities
• Student services modernization – Susan Lee advocates for moving critical student services to managed cloud infrastructure rather than departmental servers, reducing the security surface area

Pressure events:

• University administration announces mandatory security review with external consultants – IT leadership credibility questioned
• Faculty Senate debates resolution opposing “centralized IT security control” that would restrict research server autonomy
• Peer institutions (MIT, Stanford) share best practices showing centralized security models that preserved research flexibility
• EDUCAUSE sector coordination opportunity – university could lead academic cybersecurity standards development

Facilitation questions:

• “How do you build centralized security capability in an organization designed around departmental autonomy?”
• “The academic culture conflict between openness and security predates this incident and will outlast it – what’s a sustainable long-term model?”
• “This incident created an opportunity for the university to lead academic sector cybersecurity – how do you turn crisis into institutional leadership?”

Victory Conditions

• Worm eliminated across all departmental servers with comprehensive campus patching
• Student services restored with acceptable disruption to registration and academic operations
• University’s internet citizenship demonstrated through responsible federal coordination
• Institutional cybersecurity governance model proposed that balances security with academic autonomy

Debrief Focus (Full Game)

• How decentralized organizational structures (universities, hospital systems, franchise networks) create unique challenges for enterprise security management
• The tension between academic openness culture and security requirements – and why framing matters more than technology
• Why universities have special “internet citizenship” obligations as major network infrastructure providers
• How manual security operations don’t scale across distributed infrastructure – the case for automation and centralization
• Institutional change management when security improvements require fundamentally altering how an organization makes decisions

Round 1: Discovery & Identification (30-35 min)

Autumn term registration period at University of Northern England – 28,000 students depend on online registration, course management, and academic services. Web Services Director Rajesh Kumar watches as 200+ departmental websites begin displaying defacement messages. CIO Professor Helen Cartwright receives alarming network data: university IIS servers are aggressively scanning the internet, and external organizations report that campus infrastructure is attacking their systems.

Open investigation guidance: All four Key Discovery Paths are available. Teams typically uncover the unpatched IIS buffer overflow (delayed during registration period to avoid service disruption), the worm’s autonomous propagation across the university’s flat network connecting 200+ departmental web servers, and the discovery that campus infrastructure is participating in internet-wide attacks against other academic and government institutions.

If the team stalls: “Dr. Thomas Osei from Computer Science analyzes the worm’s behavior and reports: ‘This is automated – it’s exploiting the same IIS buffer overflow that Microsoft patched weeks ago. Our servers are scanning the entire internet for vulnerable targets. We’re not just victims, we’re attackers.’”

Facilitation questions:

• “University servers are attacking Oxford, Cambridge, Imperial College, and government institutions – what does ‘internet citizenship’ mean for a university’s response obligations?”
• “28,000 students need online registration this week – how do you balance student services with stopping the university’s participation in global attacks?”
• “Academic departments host their own servers independently with no centralized IT control – how do you remediate 200+ servers across 50 autonomous departments?”

Round 1→2 Transition

The investigation reveals campus-wide IIS worm infection across 200+ departmental servers. Student Services Director Fiona MacLeod reports escalating student complaints as registration and course systems display defacement messages. JANET CSIRT contacts the university: campus infrastructure is participating in coordinated attacks against critical internet infrastructure, and federal agencies are monitoring academic institutions’ response.

Round 2: Federal Pressure & Academic Culture Conflict (35 min)

If teams chose campus network isolation: All 200+ departmental websites offline during registration week. 28,000 students unable to register for classes or access course materials. Faculty research requiring internet connectivity is blocked. Academic culture backlash: “IT is destroying academic freedom with excessive security measures.”

If teams chose phased departmental patching: Manual patch deployment across 50 autonomous departments is proving slow – only 30% completed. Multiple departments (Computer Science, Engineering, Physics) refuse emergency server access during active research projects. Worm continues propagating through unpatched servers, and university continues participating in internet-wide attacks.

New developments beyond Round 1: JANET CSIRT issues emergency advisory: the worm contains a hardcoded DDoS trigger targeting government websites. Every infected university server will participate in the coordinated attack. NCSC, NCA contacts Professor Helen Cartwright: “Your university has significant infected infrastructure. What’s your remediation timeline?” Student newspaper runs story about university cybersecurity failures and participation in global attacks.

Facilitation questions:

• “Federal agencies are pressuring you to remediate immediately, but academic departments refuse emergency server access during research – how do you resolve this?”
• “The university’s academic culture values openness and departmental autonomy – security restrictions feel like an attack on academic freedom. How do you frame security as supporting rather than opposing the academic mission?”
• “Manual patching of 300+ servers across 50 autonomous departments takes 5-7 days, but the DDoS trigger date is 4 days away – what’s your triage strategy?”

Round 2→3 Transition

The DDoS trigger date passes – the university either largely prevented participation through aggressive remediation, or campus infrastructure contributed to the attack. Either way, the incident exposed fundamental infrastructure weaknesses: distributed infrastructure with no centralized management, academic culture resisting security controls, and manual processes that don’t scale. Focus shifts to long-term institutional change.

Round 3: Long-Term Academic Cybersecurity & Institutional Change (35 min)

Three weeks post-incident. The immediate crisis is resolved but the institutional implications are profound. The incident demonstrated that the university’s decentralized IT model – 50 autonomous departments managing their own servers – created an environment where a single vulnerability compromised the entire campus. Professor Helen Cartwright faces a defining question: how do you modernize academic cybersecurity without destroying the departmental autonomy that defines university culture?

Investigation focus areas:

• Centralized security architecture – Rajesh Kumar proposes: centralized vulnerability management across all departmental servers, automated patch deployment, network segmentation between departments, campus-wide security monitoring. Requires organizational authority that doesn’t currently exist
• Academic culture engagement – Dr. Thomas Osei leads faculty advisory committee on cybersecurity policy: balancing research openness with security requirements, defining acceptable use policies that respect academic freedom
• Federal relationship management – Federal agencies assessing university’s internet citizenship; positive response demonstration could lead to academic sector cybersecurity partnership opportunities
• Student services modernization – Fiona MacLeod advocates for moving critical student services to managed cloud infrastructure rather than departmental servers, reducing the security surface area

Pressure events:

• University administration announces mandatory security review with external consultants – IT leadership credibility questioned
• Faculty Senate debates resolution opposing “centralized IT security control” that would restrict research server autonomy
• Peer institutions (Oxford, Cambridge) share best practices showing centralized security models that preserved research flexibility
• UCISA sector coordination opportunity – university could lead academic cybersecurity standards development

Facilitation questions:

• “How do you build centralized security capability in an organization designed around departmental autonomy?”
• “The academic culture conflict between openness and security predates this incident and will outlast it – what’s a sustainable long-term model?”
• “This incident created an opportunity for the university to lead academic sector cybersecurity – how do you turn crisis into institutional leadership?”

Victory Conditions

• Worm eliminated across all departmental servers with comprehensive campus patching
• Student services restored with acceptable disruption to registration and academic operations
• University’s internet citizenship demonstrated through responsible federal coordination
• Institutional cybersecurity governance model proposed that balances security with academic autonomy

Debrief Focus (Full Game)

• How decentralized organizational structures (universities, hospital systems, franchise networks) create unique challenges for enterprise security management
• The tension between academic openness culture and security requirements – and why framing matters more than technology
• Why universities have special “internet citizenship” obligations as major network infrastructure providers
• How manual security operations don’t scale across distributed infrastructure – the case for automation and centralization
• Institutional change management when security improvements require fundamentally altering how an organization makes decisions