Raspberry Robin Scenario: Government Office
Government Removable-Media Outbreak • RaspberryRobin
STAKES
Citizen trust + Service continuity + Public-data integrity + Compliance posture
HOOK
Citizen-service teams report removable media creating unexpected shortcut files on intake workstations, unexplained process activity in administrative systems, and anomalies moving between office and records-management environments. Security monitoring confirms recurring outbound sessions from public-service hosts while endpoint scans remain inconclusive.
PRESSURE
- Decision deadline: Thursday 15:30
- Service scope: District citizen-service and permitting operations
- Exposure estimate: EUR 2.1 million projected incident response and citizen-remediation exposure
FRONT • 120 minutes • Intermediate
Government Removable-Media Outbreak • RaspberryRobin
NPCs
- Stefan Weber (Executive Lead): Owns strategic response and public-trust posture
- Petra Wagner (IT Director): Leads administrative-system triage and recovery sequencing
- Markus Bauer (Operations Lead): Coordinates frontline service execution and fallback workflows
- Monika Schulz (Data Protection Officer): Directs evidential integrity and data-protection risk posture
SECRETS
- Removable-media workflows remained embedded in citizen-service intake and records-transfer routines
- Access boundaries around permitting and casework systems exceeded least-privilege intent
- Covert activity prioritized citizen-service workflow data before visible service interruption
Raspberry Robin Scenario: Government Office
Government Removable-Media Outbreak • RaspberryRobin
STAKES
Citizen trust + Service continuity + Public-data integrity + Compliance posture
HOOK
Citizen-service teams report removable media creating unexpected shortcut files on intake workstations, unexplained process activity in administrative systems, and anomalies moving between office and records-management environments. Security monitoring confirms recurring outbound sessions from public-service hosts while endpoint scans remain inconclusive.
PRESSURE
- Decision deadline: Thursday 15:30
- Service scope: Municipal citizen-service and permitting operations
- Exposure estimate: EUR 3.7 million projected incident response and citizen-remediation exposure
FRONT • 120 minutes • Intermediate
Government Removable-Media Outbreak • RaspberryRobin
NPCs
- Willem de Vries (Executive Lead): Owns strategic response and public-trust posture
- Sophie de Graaf (IT Director): Leads administrative-system triage and recovery sequencing
- Maarten Jansen (Operations Lead): Coordinates frontline service execution and fallback workflows
- Eva Meijer (Data Protection Officer): Directs evidential integrity and data-protection risk posture
SECRETS
- Removable-media workflows remained embedded in citizen-service intake and records-transfer routines
- Access boundaries around permitting and casework systems exceeded least-privilege intent
- Covert activity prioritized citizen-service workflow data before visible service interruption
Planning Resources
For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:
Raspberry Robin Government Office Planning Document
Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.
Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:
Raspberry Robin Government Office Scenario Slides
Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support
Scenario Details for IMs
Hook
“It is Wednesday at 07:10 at Landratsamt Karlsruhe. Early-shift staff preparing citizen-service desks report suspicious shortcut files from removable media, unexplained process execution on casework stations, and unusual activity between permitting and records systems. Security staff detect repeated outbound sessions from systems handling citizen-service data. Leadership must contain the incident before public-service delivery and trust are disrupted.”
“Initial municipal alert logged at 07:10. Regional context: Germany.”
“Operational scale: District government office with 400 employees supporting citizen services.”
“It is Wednesday at 07:10 at Gemeente Utrecht. Early-shift staff preparing citizen-service desks report suspicious shortcut files from removable media, unexplained process execution on casework stations, and unusual activity between permitting and records systems. Security staff detect repeated outbound sessions from systems handling citizen-service data. Leadership must contain the incident before public-service delivery and trust are disrupted.”
“Initial municipal alert logged at 07:10. Regional context: Netherlands.”
“Operational scale: Municipal government with 3,500 employees and extensive digital citizen infrastructure.”
Initial Symptoms to Present:
- “Removable media creates suspicious shortcut files on intake and casework stations”
- “Administrative systems show unexplained process launches during opening procedures”
- “Permitting and records workflows report anomalies across service systems”
- “Outbound encrypted traffic persists from hosts handling citizen-service information”
Key Discovery Paths:
Detective Investigation Leads:
- Timeline analysis links propagation to routine removable-media public-service workflows
- Access records indicate focus on permitting and casework repositories
- Host artifacts show sustained reconnaissance before overt operational disruption
Protector System Analysis:
- Endpoint triage confirms propagation indicators across administrative service infrastructure
- Control review identifies overtrusted pathways in records-transfer routines
- Containment must preserve evidence while reducing frontline service risk rapidly
Tracker Network Investigation:
- Beaconing and staged transfers indicate coordinated command infrastructure behavior
- Lateral traces map movement between intake, records, and permitting systems
- Telemetry profile matches removable-media reconnaissance in public-sector operations
Communicator Stakeholder Interviews:
- Frontline service teams require clear continuation criteria for citizen operations
- Public communication teams need defensible language for incident updates
- Oversight stakeholders require confidence-scoped status and evidence controls
Mid-Scenario Pressure Points:
- Hour 1: Citizen-service desks report anomalies in high-volume intake workflows
- Hour 2: Leadership cannot verify reliability of current permitting records
- Hour 3: Public trust pressure rises as service disruptions expand
- Hour 4: Regulatory and operational risk increases while scope remains unresolved
Evolution Triggers:
- If removable-media controls lag, propagation continues through daily public-service routines
- If systems are reset too early, evidential confidence and compliance posture weaken
- If communication is delayed, citizen trust degrades faster than technical recovery
Resolution Pathways:
Technical Success Indicators:
- Propagation paths are removed and service systems return to trusted baselines
- Forensic timeline and citizen-service evidence are preserved for oversight review
- Removable-media governance is hardened across intake and records workflows
Business Success Indicators:
- Service continuity decisions remain defensible under documented risk analysis
- Public messaging remains timely, accurate, and confidence-scoped
- Incident response preserves citizen trust while restoring reliable operations
Learning Success Indicators:
- Team recognizes removable-media propagation in public-sector service environments
- Participants balance containment urgency with evidence-quality discipline
- Group coordinates operations, cybersecurity, and governance decisions under pressure
Common IM Facilitation Challenges:
If Teams Focus Only on Central Systems:
“Which controls must be executed at frontline desks in the next hour to reduce citizen impact?”
If Teams Delay Oversight Coordination:
“State DPA channels request incident status, evidential controls, and assurance that citizen-service records remain reliable under public-sector processing obligations.”
“Autoriteit Persoonsgegevens channels request incident status, evidential controls, and assurance that citizen-service records remain reliable under municipal processing obligations.”
If Teams Skip Public-Trust Planning:
“What evidence threshold is required before issuing service-integrity assurances to residents?”
Success Metrics for Session:
Template Compatibility
This scenario adapts to multiple session formats with appropriate scope and timing:
Quick Demo (35-40 minutes)
Structure: 2 investigation rounds, 1 decision round
Focus: Detect removable-media propagation and set immediate service protections
Key Actions: Scope exposure, preserve evidence, and set initial public-trust posture
Lunch & Learn (75-90 minutes)
Structure: 4 investigation rounds, 2 decision rounds
Focus: Coordinate service triage, public communication, and oversight escalation
Key Actions: Validate integrity confidence, isolate high-risk workflows, align citizen messaging
Full Game (120-140 minutes)
Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end government-office response under citizen and regulatory pressure
Key Actions: Balance service continuity with defensible containment and compliance posture
Advanced Challenge (150-170 minutes)
Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Ambiguous records evidence, multi-service coordination, and authority conflict
Additional Challenges: Compressed deadlines and contested operational governance decisions
This German variation can be adapted to other EU countries during facilitation. EU members share GDPR, but public-sector structures and reporting paths vary.
When localizing this government-office scenario, substitute the relevant institutions below:
| Netherlands |
Autoriteit Persoonsgegevens |
NCSC-NL |
Municipal executive and council structures |
Highly digital citizen-service platforms |
| France |
CNIL |
ANSSI |
Prefecture and municipal structures |
Centralized national cyber coordination |
| Denmark |
Datatilsynet |
CFCS |
Municipal and regional public authorities |
Strong digital public-service workflows |
| Sweden |
IMY |
CERT-SE |
Municipal administrations |
Decentralized service execution model |
| Italy |
Garante Privacy |
ACN |
Comune and regional administration structures |
Multi-layer administrative coordination |
Notes:
- Administrative variance: Local and regional authorities have different escalation chains.
- Service impact: Citizen-facing workflows may require continuity obligations during containment.
- Facilitation: Keep technical flow stable and localize only institutions, roles, and legal framing.
This Dutch variation can be adapted to other EU countries during facilitation. EU members share GDPR, but public-sector structures and reporting paths vary.
When localizing this government-office scenario, substitute the relevant institutions below:
| Germany |
BfDI |
BSI |
District and Land structures |
Federal governance with state variation |
| France |
CNIL |
ANSSI |
Prefecture and municipal structures |
Centralized national cyber coordination |
| Denmark |
Datatilsynet |
CFCS |
Municipal and regional public authorities |
Strong digital public-service workflows |
| Sweden |
IMY |
CERT-SE |
Municipal administrations |
Decentralized service execution model |
| Italy |
Garante Privacy |
ACN |
Comune and regional administration structures |
Multi-layer administrative coordination |
Notes:
- Administrative variance: Local and regional authorities have different escalation chains.
- Service impact: Citizen-facing workflows may require continuity obligations during containment.
- Facilitation: Keep technical flow stable and localize only institutions, roles, and legal framing.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
- Clue 1 (Minute 5): Security operations at Landratsamt Karlsruhe confirms removable-media propagation across administrative support systems.
- Clue 2 (Minute 10): Markus Bauer confirms unexplained access to permitting records and citizen-case workflow artifacts tied to this week’s high-volume service windows.
- Clue 3 (Minute 15): Landrat Stefan Weber opens an emergency operations brief and states that citizen-service continuity cannot rely on uncertain data integrity. IT Director Petra Wagner confirms suspicious process execution linked to removable-media workflows on administrative hosts. Operations Lead Markus Bauer reports propagation indicators across permitting and intake stations. DPO Monika Schulz requests immediate evidence preservation and data-protection impact assessment.
- Clue 1 (Minute 5): Security operations at Gemeente Utrecht confirms removable-media propagation across administrative support systems.
- Clue 2 (Minute 10): Maarten Jansen confirms unexplained access to permitting records and citizen-case workflow artifacts tied to this week’s high-volume service windows.
- Clue 3 (Minute 15): Burgemeester Willem de Vries opens an emergency operations brief and states that citizen-service continuity cannot rely on uncertain data integrity. IT Director Sophie de Graaf confirms suspicious process execution linked to removable-media workflows on administrative hosts. Operations Lead Maarten Jansen reports propagation indicators across permitting and intake stations. DPO Eva Meijer requests immediate evidence preservation and data-protection impact assessment.
Pre-Defined Response Options
Option A: Evidence-First Service Containment
- Action: Isolate affected service systems, preserve artifacts, and enforce staged workflow recovery with explicit records validation.
- Pros: Maximizes evidence quality and long-term governance defensibility.
- Cons: Near-term service throughput pressure and citizen-impact risk.
- Type Effectiveness: Super effective for durable public-service resilience.
Option B: Continuity-First Operations
- Action: Maintain broad service operations while applying targeted controls to highest-risk workflows.
- Pros: Preserves near-term service continuity for residents.
- Cons: Higher probability of continued propagation and integrity uncertainty.
- Type Effectiveness: Partially effective with elevated public-trust risk.
Option C: Phased Integrity Restoration
- Action: Prioritize highest-risk citizen-service workflows and restore remaining services in controlled waves.
- Pros: Balances operational urgency with verification discipline.
- Cons: Extended uncertainty can strain resident confidence.
- Type Effectiveness: Moderately effective with strict governance controls.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Service-System Exposure (30-35 min)
- Opening: Landrat Stefan Weber opens an emergency operations brief and states that citizen-service continuity cannot rely on uncertain data integrity. IT Director Petra Wagner confirms suspicious process execution linked to removable-media workflows on administrative hosts. Operations Lead Markus Bauer reports propagation indicators across permitting and intake stations. DPO Monika Schulz requests immediate evidence preservation and data-protection impact assessment.
- Clue 1 (Minute 10): Endpoint telemetry indicates propagation behavior tied to intake and records workflows.
- Clue 2 (Minute 20): Markus Bauer confirms unexplained access to permitting records and citizen-case workflow artifacts tied to this week’s high-volume service windows.
- Opening: Burgemeester Willem de Vries opens an emergency operations brief and states that citizen-service continuity cannot rely on uncertain data integrity. IT Director Sophie de Graaf confirms suspicious process execution linked to removable-media workflows on administrative hosts. Operations Lead Maarten Jansen reports propagation indicators across permitting and intake stations. DPO Eva Meijer requests immediate evidence preservation and data-protection impact assessment.
- Clue 1 (Minute 10): Endpoint telemetry indicates propagation behavior tied to intake and records workflows.
- Clue 2 (Minute 20): Maarten Jansen confirms unexplained access to permitting records and citizen-case workflow artifacts tied to this week’s high-volume service windows.
Round 2: Oversight and Citizen Decisions (30-35 min)
- Clue 3 (Minute 35): State DPA channels request incident status, evidential controls, and assurance that citizen-service records remain reliable under public-sector processing obligations.
- Clue 4 (Minute 45): BSI reports recurring campaigns where removable-media propagation in government environments enabled persistent reconnaissance before visible service disruption.
- Pressure Event (Minute 55): “Leadership requires a service and communication decision by Thursday 15:30.”
- Coordination Note: “Immediate external coordination: BSI and state LKA cyber units plus State DPA and BfDI coordination channels under GDPR and BDSG obligations for public-sector data handling.”
- Clue 3 (Minute 35): Autoriteit Persoonsgegevens channels request incident status, evidential controls, and assurance that citizen-service records remain reliable under municipal processing obligations.
- Clue 4 (Minute 45): NCSC-NL reports recurring campaigns where removable-media propagation in government environments enabled persistent reconnaissance before visible service disruption.
- Pressure Event (Minute 55): “Leadership requires a service and communication decision by Thursday 15:30.”
- Coordination Note: “Immediate external coordination: NCSC-NL and Team High Tech Crime plus Autoriteit Persoonsgegevens supervisory channels under GDPR obligations for municipal data handling.”
Debrief Focus
- How removable-media propagation alters assumptions in government service environments
- What evidence quality is required before citizen-service integrity assurances
- Which administrative procedures should be redesigned for future resilience
- How to align cybersecurity response with public-service and compliance obligations