FakeBat Scenario: Small Business Software Trap
Planning Resources
Scenario Details for IMs
Creative Solutions Studio: Agency Survival During Major Client Pitch
Detailed Context
Organization Profile
Type: Full-service digital marketing agency providing creative services, brand strategy, web development, social media management, and digital advertising campaigns for small-to-medium business clients across retail, hospitality, professional services, and nonprofit sectors.
Size: 45 employees including 18 creative professionals (graphic designers, web designers, copywriters, video producers), 12 account managers handling client relationships and project coordination, 8 digital marketing specialists (SEO, paid advertising, social media strategy), 5 operations staff (HR, finance, office management), 1 part-time IT coordinator (Jake Chen, 20 hours/week), 1 owner/creative director managing overall agency strategy and major client relationships.
Operations: Project-based revenue model serving 85 active clients generating $3.2 million annual revenue, retainer agreements ($2,500-15,000 monthly) providing recurring revenue base, project work (website launches, rebrands, campaign development) creating revenue spikes, agency operates on 18-22% profit margins typical of creative services businesses, client retention drives business stability (losing major client eliminates months of profit), new business development through referrals and competitive pitches.
Critical Services: Client campaign development and creative production, website design and development requiring Adobe Creative Suite and collaborative tools, social media content creation and community management, digital advertising campaign management across Google Ads, Meta platforms, LinkedIn, brand strategy and marketing consulting for client business objectives.
Technology Infrastructure: Adobe Creative Suite (Photoshop, Illustrator, InDesign, Premiere Pro, After Effects) on 18 designer workstations, project management platforms (Monday.com) coordinating client deliverables, cloud file storage (Google Workspace) for client assets and collaboration, browser-based research and social media management tools, shared network with minimal segmentation (designers access client files, research resources, cloud platforms simultaneously), part-time IT coordinator handles reactive support (password resets, software installations, printer troubleshooting) but lacks cybersecurity expertise or proactive security monitoring capabilities.
Current Crisis Period: Thursday afternoon before Friday 10am client presentation—creative team finishing final presentation slides and campaign mockups for major Fortune 500 prospect pitch, account team rehearsing presentation delivery, agency owner preparing for career-defining business development opportunity, IT coordinator working remote half-day (available by phone only).
Key Assets & Impact
Major Client Presentation & Agency Survival: Friday 10am pitch to Fortune 500 retail client represents $400K annual contract (12.5% of agency revenue)—six-month competitive pitch process, final presentation showcasing brand refresh strategy, digital campaign creative, website redesign concepts, social media content calendar, all developed on spec (unpaid) by creative team investing 240 hours, presentation materials require designer workstation access for final refinements and export to presentation formats, FakeBat infection compromising lead designer’s system (Maria Garcia) who created core presentation assets and holds institutional knowledge of creative rationale, losing this opportunity means eliminating planned expansion (hire 3 additional staff), agency owner invested personal savings covering spec work costs, competitive pitch means no second chance if presentation fails, small business survival depends on winning transformational contracts that elevate agency tier and enable stable growth.
Creative Production Infrastructure & Workflow Continuity: 18 designer workstations running Adobe Creative Suite representing $32,400 annual licensing investment plus $54,000 in hardware (iMacs, displays, peripherals)—FakeBat browser hijacking disrupts designers’ web-based research (reference images, competitor analysis, trend research), credential theft threatens Adobe Creative Cloud accounts, Google Workspace access, client portal logins, malware’s multi-stage loader capabilities mean secondary payloads could deploy ransomware targeting client creative assets and intellectual property, creative workflow depends on seamless browser access (stock photo services, font libraries, color palette tools, design inspiration platforms), containment requires taking designers offline during active project work affecting 12 concurrent client campaigns with deliverable deadlines next week, small agency lacks redundant systems or backup workstations enabling graceful degradation.
Agency Reputation & Small Business Viability: Creative services industry where portfolio quality and reliability define competitive advantage—existing 85 clients generate revenue through ongoing trust in agency capabilities, referral-based business development means reputation damage spreads through professional networks, clients are small businesses themselves (restaurants, retail shops, professional practices) who cannot afford agency failures affecting their marketing, breach of client data (brand assets, unreleased campaigns, business strategies) destroys confidentiality foundation of agency-client relationship, small business market means competitors ready to receive dissatisfied clients (“more reliable agency”), agency operates on thin margins where one lost major client or reputation incident threatens business viability, owner’s personal financial investment and 45 employees’ livelihoods depend on maintaining professional credibility.
Immediate Business Pressure
Thursday 3:30 PM - Infection Discovery 18 Hours Before Career-Defining Presentation:
Creative Director Sarah Mitchell received panicked Slack message from lead designer Maria Garcia: “My browser keeps redirecting to weird sites, and I just got a notification that some ‘Creative Cloud Helper’ software installed. I didn’t authorize that.” Maria had downloaded what appeared to be Adobe font management plugin from Google search result Wednesday afternoon while preparing presentation typography—convincing fake website mimicked Adobe’s design language, software installed smoothly, seemed legitimate until browser behavior degraded Thursday afternoon.
Part-time IT coordinator Jake Chen (working remotely) remotely accessed Maria’s workstation, discovered FakeBat multi-stage loader had installed browser hijacking components, modified Chrome extensions, and was actively communicating with external command-and-control infrastructure. Jake’s investigation revealed two additional designer workstations showing similar indicators—fake software installations, browser modifications, credential access attempts.
But Friday 10am presentation is agency’s most critical business opportunity in five years. Maria’s workstation contains master presentation file with 60 slides of custom creative work, brand strategy frameworks, campaign mockups that cannot be recreated in 18 hours. Account manager David Wilson texted: “Rehearsal in 2 hours, need final slides. Client confirmed attendance—CMO, VP Marketing, Brand Director. This is our shot.”
Agency owner Sarah knows: isolate infected workstations (best security practice, prevent spread) but lose access to presentation materials and designer expertise finishing Friday deliverable, OR maintain creative team access through Friday presentation (business survival) but risk credential theft, data exfiltration, and potential ransomware deployment across client assets.
Critical Timeline: - Current moment (Thursday 3:30pm): FakeBat discovered on 3 designer workstations, Friday 10am presentation 18.5 hours away - Stakes: $400K client contract, agency expansion plans, 45 employees’ job security, small business survival - Dependencies: Lead designer’s workstation holds presentation assets, part-time IT coordinator has limited incident response expertise, no redundant systems or backup creative capacity
Cultural & Organizational Factors
Creative workflow autonomy encouraged designer software experimentation: Agency culture celebrates “creative problem-solving” and “finding the best tools”—when designers request specialized fonts, productivity plugins, or workflow enhancement software, management approves to “empower creative excellence” and “avoid limiting artistic capabilities.” Creative Director decision: trust professional designers to find tools improving work quality over restricting software installations creating “corporate bureaucracy feel.” Decision made business sense—creative agencies compete on innovation and quality, designers need autonomy exploring new techniques and resources, micromanaging software choices signals distrust damaging creative culture, small agency differentiates from large corporate shops through flexibility and designer empowerment. No software approval process or installation restrictions meant Maria downloading “Adobe font manager” seemed like normal professional behavior seeking to enhance typography work. FakeBat exploited this exact creative autonomy culture.
Part-time IT model reflects small business budget constraints: Agency operates on 18-22% profit margins with $3.2M revenue supporting 45 salaries, benefits, software licenses, rent, and operating costs—full-time IT security specialist ($75K-95K annually) represents 2.3-3.0% of revenue (eliminates profit margin), management determined 20-hour/week IT coordinator ($32K annually) provides “adequate support for basic needs” while maintaining business viability. Budget reality: small agencies prioritize billable creative staff over non-revenue infrastructure positions, IT spending competes with designer salaries directly affecting creative output quality, managed security services ($2,500-4,000 monthly) cost more than IT coordinator’s entire compensation. Jake Chen hired as “tech-savvy generalist” handling help desk support, not cybersecurity professional conducting threat hunting. Small business constraint: cannot afford enterprise security while competing for clients on creative deliverable quality and pricing.
Client deadline pressures prevent security maintenance windows: Creative services operate under constant deadline pressure—12 concurrent client campaigns with deliverables due weekly, Friday presentation represents months of spec work, designers cannot “pause creative work for IT maintenance” without missing client commitments. When Jake proposed scheduling security updates and system patches, account managers rejected: “We have client deliverables every single day, there’s never a good time to be offline.” Agency business model (multiple simultaneous projects with staggered deadlines) creates perpetual “critical work in progress” preventing planned maintenance. Creative staff work evenings and weekends finishing campaigns—security interruptions eliminate personal time used for deadline completion. Management priority: client deliverable quality and timeliness (drives revenue and retention) over IT maintenance (invisible until crisis occurs).
Spec work investment model creates impossible presentation stakes: Agency spent 240 unpaid hours developing presentation creative, strategy frameworks, and campaign concepts for competitive pitch—owner invested $18,000 in creative labor costs (fully burdened) plus $3,200 in stock photography, fonts, and production resources gambling on winning $400K annual contract. Small agency business development reality: cannot afford to lose major pitches after investing significant resources, transformational clients enable tier elevation and stable growth, missing Friday presentation means $21,200 sunk cost with zero return, no second chance in competitive pitch environment. Stakes aren’t just “one lost client”—they’re months of investment, planned expansion, staff hiring decisions, owner’s personal financial risk. This context explains why “just postpone the presentation” isn’t viable option.
Operational Context
Small creative agencies operate under permanent financial pressure—thin profit margins mean every dollar spent on operations reduces owner compensation or business stability, client retention and new business development are existential requirements not optional activities, reputation and portfolio quality determine competitive survival in crowded market.
Creative workflow culture values autonomy and tool flexibility—designers expected to “find solutions” and “explore techniques,” software restrictions feel like corporate bureaucracy conflicting with creative agency identity, professional trust means letting designers choose tools enhancing their work. This culture creates productivity and innovation while introducing security risk when designers download “productivity enhancing” fake software.
Part-time IT reflects budget reality not negligence—$32K/year coordinator versus $75K+ security specialist, small business cannot afford enterprise IT while maintaining competitive creative staff compensation, IT spending competes directly with billable resources generating revenue. Jake Chen provides adequate help desk support (password resets, software installs, printer fixes) but lacks cybersecurity training for incident response.
Deadline culture creates perpetual “critical work in progress”—multiple simultaneous client campaigns with staggered deliverables mean “never a good time” for security maintenance, creative staff working evenings/weekends to meet commitments cannot lose system access without missing deadlines, agency reputation depends on reliable delivery.
Spec work business development model creates high-stakes presentations—agencies invest tens of thousands in unpaid creative work gambling on transformational contracts, competitive pitches mean no second chances, winning major clients enables tier elevation and stability, losing after significant investment threatens business viability. Friday presentation isn’t “just another client meeting”—it’s culmination of six-month pursuit and $21K investment with agency expansion plans dependent on success.
FakeBat exploited this exact environment—creative autonomy culture encouraging designer software exploration, convincing fake Adobe plugin targeting creative professionals’ legitimate workflow needs, part-time IT lacking expertise for rapid incident response, deadline pressure preventing system isolation, spec work stakes making presentation cancellation unthinkable. Malware designed to exploit small creative business operational realities.
Key Stakeholders
- Sarah Mitchell (Agency Owner/Creative Director) - Balancing business survival imperative of Friday presentation with security response needs, managing personal financial investment in spec work and 45 employees’ job security
- Jake Chen (Part-Time IT Coordinator) - Learning incident response on the fly with limited cybersecurity expertise, navigating remote support constraints while trying to protect agency infrastructure
- Maria Garcia (Lead Designer, Infected Workstation) - Feeling responsible for infection while facing Friday deadline requiring her expertise and presentation assets on compromised system
- David Wilson (Account Manager, Client Relationship Owner) - Protecting six-month pitch relationship and Friday presentation delivery, managing client expectations without disclosing security incident
- Jennifer Park (Fortune 500 Client, Brand Director) - Friday presentation audience representing $400K decision, agency survival depends on successful pitch and professional delivery
Why This Matters
You’re not just responding to FakeBat infection—you’re managing crisis in small creative business where limited IT resources, creative workflow autonomy, client deadline pressures, and spec work investment stakes create impossible choices during incident response, and one lost major client can threaten agency survival and 45 employees’ livelihoods. Your incident response decisions directly affect whether agency completes career-defining presentation, whether small business manages security incident without enterprise resources, whether creative professionals maintain workflow autonomy while protecting against social engineering threats.
There’s no perfect solution: isolate infected workstations immediately (loses Friday presentation access threatening $400K contract and agency survival), maintain creative access through presentation (risks credential theft, data exfiltration, ransomware deployment across client assets), attempt partial containment with limited IT expertise (uncertain effectiveness during critical deadline). This scenario demonstrates how small business operational constraints create unique cybersecurity challenges—part-time IT resources limit incident response capabilities, creative culture autonomy conflicts with security restrictions, thin profit margins prevent enterprise security investment, client deadline dependencies make business continuity and security response competing imperatives where protecting infrastructure threatens revenue survival.
IM Facilitation Notes
Emphasize small business IT constraints are structural, not negligence: $32K part-time IT coordinator versus $75K+ security specialist reflects budget reality—agencies cannot afford enterprise IT while maintaining competitive creative staff. Don’t let players dismiss as “bad prioritization.” Small business math: IT spending competes with billable resources generating revenue.
Creative workflow autonomy is cultural value, not security failure: Designers downloading productivity tools reflects agency’s creative empowerment culture and competitive differentiation. Software restrictions feel like “corporate bureaucracy” conflicting with small creative shop identity. Help players understand tension between creative autonomy (business value) and security controls (risk management).
Friday presentation stakes are existential, not arbitrary: $400K annual contract represents 12.5% of agency revenue, $21K spec work investment, planned expansion and hiring, owner’s personal financial risk—losing this opportunity threatens business viability. This isn’t “missing one client meeting,” it’s culmination of six-month pursuit with agency survival dependent on success.
Part-time IT coordinator is learning, not incompetent: Jake Chen provides adequate help desk support (his job description) but lacks cybersecurity training for incident response (not his expertise). Remote work Thursday afternoon adds complexity. Help players recognize resource constraints versus skill deficits.
Spec work business model creates high-risk development: Creative agencies invest tens of thousands in unpaid work gambling on transformational contracts—this model drives “cannot lose this pitch” pressure. Competitive pitch environment means no second chances, postponement equals loss.
FakeBat social engineering sophistication targets creative professionals: Fake Adobe plugin with convincing website, legitimate-seeming installation, targeting creative workflow needs—this isn’t “user negligence,” it’s sophisticated masquerading defeating reasonable verification attempts by professional designer.
Client asset protection adds stakeholder dimension: Agency holds 85 clients’ brand assets, unreleased campaigns, business strategies—breach affects not just agency but all client businesses depending on confidentiality. Small business clients (restaurants, shops, practices) cannot afford marketing data exposure.
Hook
“It’s Wednesday morning at Creative Solutions Studio, and what should be preparation for Friday’s major client presentation has turned into a crisis. Multiple design workstations are showing strange behavior - browsers redirecting to unexpected websites, persistent advertisements appearing during client work, and staff reporting they installed ‘critical software updates’ for their design tools yesterday. With your biggest client presentation in two days, investigate what’s happening before browser compromise destroys both your work and your reputation.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 2: Major client calls to review presentation materials - requires functional design workstations
- Hour 3: Business owner demands explanation for why design team productivity has dropped
- Hour 4: Client relations manager reports client is considering alternative agency due to delays
Evolution Triggers:
- If containment takes longer than 3 hours, FakeBat begins deploying secondary payloads
- If browser security isn’t addressed, malware creates persistent infection vectors
- If fake software source isn’t identified, additional staff may install similar malware
Resolution Pathways:
Technical Success Indicators:
- Team identifies FakeBat through software verification and browser behavior analysis
- Browser security hardening prevents future unauthorized installations and extensions
- Software installation policies prevent masquerading attacks in small business environment
Business Success Indicators:
- Client presentation proceeds with minimal impact despite security incident
- Business operations maintained while removing malware from design workstations
- Security improvements integrated without disrupting creative workflow
Learning Success Indicators:
- Team understands how software masquerading exploits user trust in legitimate tools
- Participants recognize importance of software verification in small business environments
- Group demonstrates balance between user autonomy and security controls for creative professionals
Common IM Facilitation Challenges:
If Team Focuses Too Heavily on Technical Details:
“That’s excellent analysis of the browser hijacking techniques. How does this information help you communicate the urgency to the client who’s calling for their presentation materials?”
If Business Stakeholders Are Ignored:
“While you’re conducting this investigation, Lisa just received another call from the client asking about Friday’s presentation. How do you handle that conversation?”
If Software Masquerading Aspect Is Missed:
“The technical indicators are clear, but why did design staff trust these particular software updates during this specific time period?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish the scenario. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing fake software and the risks of installing unverified updates.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of software masquerading techniques. Use the full set of NPCs to create realistic small business decision-making pressures. The two rounds allow FakeBat to deploy secondary payloads, raising the stakes. Debrief can explore the balance between user productivity and security controls.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop their own response strategies, balancing browser security hardening, user education, and business operations. The three rounds allow for full narrative arc including villain’s complete multi-stage attack plan.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate Adobe update notifications that are unrelated). Make containment ambiguous, requiring players to justify browser security decisions with limited information. Remove access to reference materials to test knowledge recall of software verification processes.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “You discover that multiple design workstations visited ‘adobe-updates-secure.com’ yesterday and downloaded ‘CreativeSuite_UpdatePatch.exe’. The domain was registered 3 days ago.”
Clue 2 (Minute 10): “Analyzing the downloaded file reveals it lacks a valid Adobe digital signature. The legitimate Adobe update process never requires manual .exe downloads.”
Clue 3 (Minute 15): “You find new browser extensions installed on affected workstations: ‘Adobe Secure Connect’ and ‘Creative Suite Helper’. Both have permissions to modify all web page content and are injecting advertisements into legitimate websites.”
Pre-Defined Response Options
Option A: Remove Malware & Verify Software
- Action: Uninstall unauthorized software and browser extensions, remove FakeBat components, verify all design software is from legitimate Adobe sources.
- Pros: Completely removes the threat and establishes software verification procedures.
- Cons: Time-consuming; may require reinstalling legitimate design software from official sources.
- Type Effectiveness: Super effective against Trojan type malmons like FakeBat.
Option B: Browser Security Hardening
- Action: Reset all affected browsers to default settings, disable unauthorized extensions, implement browser security policies to prevent future modifications.
- Pros: Stops browser hijacking and prevents future unauthorized changes; relatively quick to implement.
- Cons: Doesn’t address the underlying malware that may deploy additional payloads.
- Type Effectiveness: Moderately effective against Browser Hijacker type threats.
Option C: Block Malicious Infrastructure
- Action: Add ‘adobe-updates-secure.com’ and related domains to firewall blocklist, preventing communication with malware distribution servers.
- Pros: Prevents additional staff from downloading fake updates; stops malware from receiving commands.
- Cons: Doesn’t remove already-installed malware or fix compromised browsers.
- Type Effectiveness: Partially effective against Downloader type malmons.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Initial Detection & Client Presentation Crisis (35-40 minutes)
Opening Hook: Wednesday morning at Creative Solutions Studio, 48 hours before major client presentation. Design workstations showing browser redirects and persistent advertisements. Staff report installing “critical software updates” for Adobe Creative Suite yesterday.
Time-Stamped Investigation Clues: - Minute 5: Multiple design workstations visited ‘adobe-updates-secure.com’, downloaded ‘CreativeSuite_UpdatePatch.exe’ (domain registered 3 days ago) - Minute 8: Memory scans reveal suspicious processes, digital signature verification fails—legitimate Adobe updates never require manual .exe downloads - Minute 12: DNS logs show connections to recently registered domains mimicking Adobe, network traffic to advertising and download servers - Minute 16: Design staff received convincing pop-up notifications about “critical security updates” during tight project deadline - Minute 20: Browser extensions ‘Adobe Secure Connect’ and ‘Creative Suite Helper’ installed with permissions to modify all web page content, injecting advertisements into legitimate websites
Pressure Event (Minute 22): Major client calls to review presentation materials—requires functional design workstations. Business owner demands explanation for why design team productivity has dropped before critical Friday presentation.
Response Options: - Option A: Uninstall unauthorized software and browser extensions, remove FakeBat components, verify all design software from legitimate Adobe sources, establish software verification procedures - Option B: Reset all affected browsers to default settings, disable unauthorized extensions, implement browser security policies preventing future modifications - Option C: Add malicious domains to firewall blocklist, prevent additional staff from downloading fake updates, stop malware from receiving commands
Round 1 Debrief: How did FakeBat exploit user trust in legitimate design tools? What security challenges are unique to small businesses with limited IT resources? How did you balance Lisa’s need for client presentation delivery with thorough malware removal?
Round 2: Business Continuity & Creative Workflow Protection (35-45 minutes)
Evolution Based on Round 1 Choice: Malware removal time-consuming with potential design software reinstallation, browser fixes don’t address underlying malware deploying additional payloads, or infrastructure blocking doesn’t fix already-compromised workstations.
Advanced Investigation Clues: - Minute 44: ‘CreativeSuite_UpdatePatch.exe’ is loader delivering RedLine Stealer—design staff browser password stores, client FTP credentials, project management system access potentially exfiltrated - Minute 49: Memory forensics shows credential theft from designers with client project access—WordPress admin logins, cloud storage credentials, communication platform authentication cookies compromised - Minute 54: Attribution reveals fake Adobe update campaign using malvertising, searches for “Adobe Creative Suite update” and “design software patch” triggering malicious ads, targeting creative professionals - Minute 59: Client relations manager reports client is considering alternative agency due to delivery delays caused by security incident response
Pressure Event (Minute 62): Business owner presents financial reality—major client presentation represents 15% quarterly revenue. Client relationship damaged by delays. Small business cannot absorb both security incident costs AND lost client revenue. Resource constraints require choosing between perfect security response and business survival.
Enhanced Response Options: - Option D: Complete design workstation remediation, client communication templates about potential credential exposure, implement mandatory security training, invest in business-grade security tools - Option E: Selective deep cleaning on workstations with client access, implement browser-based protections agency-wide, document staff security responsibilities, controlled costs through triage - Option F: External IR partnership for professional assessment, implement findings as competitive security differentiator, provide staff complimentary consultations, transform incident into agency trust-building
NPC Interactions: - Lisa Martinez (Business Owner): Business survival focus, client relationship preservation, cannot afford both incident costs and revenue loss, small business financial constraints - Jake Thompson (IT Coordinator): Staff have administrative rights for design tool flexibility, monitoring capabilities limited, creative workflow protection versus security controls - Sarah Chen (Creative Director): Design team morale during incident, fake updates appeared during project deadline stress, creative professional autonomy expectations - Mark Rodriguez (Client Relations Manager): Client confidence erosion from delivery delays, competitive market with alternative agencies, relationship repair strategies
Round 2 Debrief: How did FakeBat’s secondary payload deployment (RedLine Stealer) threaten client project credentials across multiple designers? What competing priorities did NPCs present regarding business survival vs. security thoroughness vs. creative workflow? How do small businesses balance security investment with limited budgets and competitive market pressures?
Key Learning Objectives (Lunch & Learn)
Technical: Software masquerading targeting creative professionals, loader/dropper malware architecture, browser hijacking affecting client communications, small business endpoint security challenges
Business: Client presentation operations under security constraints, small business resource limitations, creative workflow protection, competitive market relationship management, ROI considerations for security investments
Incident Response: Triaging design workstations with client access, client notification with credential exposure uncertainty, balancing business continuity with security, managing stakeholder conflicts in resource-constrained environments
Full Game Materials (120-140 min, 3 rounds)
Round 1: Discovery & Presentation Preparation Crisis (35-40 minutes)
Opening: Creative Solutions Studio, Wednesday morning, 48 hours before major client presentation. Design workstations compromised with fake Adobe Creative Suite updates.
Investigation Paths: Detective (software installation analysis), Protector (design workstation forensics), Tracker (creative professional campaign attribution), Communicator (staff/client interviews)
Pressure Events: Major client reviewing presentation materials (Minute 12), business owner demanding productivity explanation (Minute 18), client relations manager reporting alternative agency consideration (Minute 22)
Player-Developed Responses: Players create containment strategies balancing design workstation security, client project protection, presentation delivery, and small business operations
Round 2: Client Credential Compromise & Designer Access Theft (40-45 minutes)
Evolution: RedLine Stealer deployment on design workstations with client project access, designer credential exfiltration, client FTP/WordPress/cloud storage access compromise, unauthorized access attempts
Advanced Investigation: Attribution reveals targeted creative professional campaign, fake Adobe update masquerading, malvertising exploiting design software trust
Complex Decisions: Client notification with uncertain credential exposure, designer support during compromise, presentation communications about security incident, external IR engagement with small business budget
NPC Conflicts: Business survival and client retention (Lisa), technical thoroughness and monitoring limitations (Jake), creative workflow protection and team morale (Sarah), client relationship repair and competitive pressure (Mark)
Round 3: Presentation Execution & Long-Term Small Business Security (35-45 minutes)
Final Phase: Presentation proceeds or is disrupted based on player decisions, post-presentation client concerns emerge or are addressed, long-term small business security architecture developed
Strategic Planning: Design workstation security policies, client credential protection programs, creative professional security training, small business security investment ROI analysis
Outcome Scenarios: Successful presentation with comprehensive client protection, compromised presentation with client withdrawal, or partial success with mixed relationship and revenue impact
Advanced Challenge Materials (150-170 min, 3+ rounds)
Advanced Modifications
Ambiguity: Legitimate Adobe Creative Cloud updates, design software performance issues from unrelated causes, client concerns about general agency competence vs. specific security incident
Stakeholder Unreliability: Lisa concealing financial stress affecting security decisions, Jake overconfident about limited IT capabilities, Sarah protecting specific key designers despite security risks, Mark filtering client complaints to preserve presentation
Compressed Timeline: Presentation in 24 hours, client arriving for preview during investigation, creative director requiring designer availability for last-minute changes
Ethical Dilemmas: Client notification probabilities with uncertain credential exposure, designer support obligations with limited resources, presentation cancellation decision with revenue implications
Consequence Scenarios: False positive designer disruption affecting presentation quality, delayed notification resulting in client project compromise, inconsistent messaging eroding client trust, competitive agencies leveraging security concerns
[Comprehensive debrief covering small business security challenges, resource-constrained decision-making, client trust management, creative workflow protection, and competitive market incident response complexity]