Raspberry Robin Scenario: State Department of Revenue Breach

State Department of Revenue: Government agency processing tax returns and citizen services, 600 employees
Worm • RaspberryRobin
STAKES
Taxpayer data security + Government service continuity + Regulatory compliance + Public trust
HOOK
The State Department of Revenue is processing peak tax season returns when field auditors and citizen service representatives begin reporting USB drives that automatically create suspicious folder-like files. The USB-based malware is spreading through routine data collection procedures, jumping between secure government networks and citizen service systems through legitimate USB workflows used for tax audits and document transfers.
PRESSURE
Tax season peak operations - any data breach affects millions of taxpayers + Government security breach threatens public trust
FRONT • 120 minutes • Advanced
State Department of Revenue: Government agency processing tax returns and citizen services, 600 employees
Worm • RaspberryRobin
NPCs
  • Director Patricia Chen: Managing peak tax season operations, discovering that USB-based malware is spreading through government networks via routine tax audit and citizen service procedures
  • Chief Information Officer Robert Martinez: Investigating how USB malware is bypassing government security controls and spreading between classified and citizen service networks
  • Field Audit Supervisor Linda Johnson: Reporting that USB drives used for taxpayer data collection are automatically creating malicious files affecting audit systems and citizen information
  • Cybersecurity Analyst Kevin Foster: Analyzing USB-based worm propagation through government workflows and assessing potential taxpayer data exposure
SECRETS
  • Government auditors routinely use USB drives to collect taxpayer documents and transfer data between field locations and secure office systems
  • USB-based malware is spreading through legitimate government workflows, bypassing network security and air-gapped protections
  • Infected systems include both taxpayer data processing and government service delivery networks

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Raspberry Robin Government Office Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Raspberry Robin Government Office Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

State Department of Revenue: Government Agency During Tax Season Peak Operations

Quick Reference

  • Organization: Government agency processing tax returns and citizen services, 600 employees handling taxpayer data
  • Key Assets at Risk: Taxpayer data security (millions of citizens affected), Government service continuity, Regulatory compliance, Public trust in government data protection
  • Business Pressure: Tax season peak operations—any data breach affects millions of taxpayers, government security breach threatens public trust in state agency capability
  • Core Dilemma: Continue USB-based tax document collection maintaining government services BUT allows malware propagation through taxpayer data systems, OR Halt USB workflows for containment BUT disrupts tax processing and citizen services during peak season
Detailed Context
Organization Profile

Government agency processing tax returns and citizen services, 600 employees

Key Assets At Risk: - Taxpayer data security - Government service continuity - Regulatory compliance - Public trust

Business Pressure
  • Tax season peak operations - any data breach affects millions of taxpayers
  • Government security breach threatens public trust
Cultural Factors
  • Government auditors routinely use USB drives to collect taxpayer documents and transfer data between field locations and secure office systems
  • USB-based malware is spreading through legitimate government workflows, bypassing network security and air-gapped protections
  • Infected systems include both taxpayer data processing and government service delivery networks

Hook

“It’s Wednesday morning at the State Department of Revenue during peak tax season, and government employees are processing thousands of tax returns while field auditors collect taxpayer documents using USB drives for secure transfer. But auditors begin reporting disturbing behavior: USB drives are automatically creating files that appear to be normal folders, but accessing them causes system anomalies. The USB-based malware is spreading through legitimate government workflows, affecting both taxpayer data systems and citizen service networks.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “USB drives used by field auditors automatically creating suspicious LNK files disguised as folders”
  • “Government tax processing systems showing signs of infection after routine USB data transfers”
  • “Citizen service networks experiencing unauthorized file creation and system modifications”
  • “Taxpayer data security systems displaying anomalous behavior after USB-based document transfers”

Key Discovery Paths:

Detective Investigation Leads:

  • Digital forensics reveal USB-based worm creating malicious LNK files designed to spread through government workflows
  • Government system analysis shows infection propagating through routine taxpayer data collection procedures
  • Security timeline indicates potential initial compromise through citizen interaction or contractor device

Protector System Analysis:

  • Government network monitoring reveals USB-based malware bypassing security controls and air-gapped protections
  • Taxpayer data system assessment shows potential compromise of sensitive citizen information processing
  • Government security analysis indicates systematic USB-based propagation across classified and citizen service networks

Tracker Network Investigation:

  • USB device forensics reveal sophisticated worm adapted for government workflow exploitation
  • Government system communication patterns show malware leveraging legitimate administrative processes
  • Taxpayer data integrity analysis indicates potential exposure of sensitive citizen information

Communicator Stakeholder Interviews:

  • Government employee interviews reveal routine USB usage patterns in taxpayer data collection and processing
  • Citizen service coordination regarding potential exposure of personal tax and financial information
  • Regulatory compliance assessment with state and federal government cybersecurity requirements

Mid-Scenario Pressure Points:

Evolution Triggers:

Resolution Pathways:

Technical Success Indicators:

Business Success Indicators:

Learning Success Indicators:

Common IM Facilitation Challenges:

If Government Workflow Complexity Is Ignored:

“Your network security strategy is sound, but Linda explains that field auditors must use USB drives to collect taxpayer documents from citizen locations. How does legitimate government workflow requirement change your USB security approach?”

If Taxpayer Data Impact Is Minimized:

“While you’re removing USB malware, Kevin discovered that infected systems process millions of taxpayer tax returns and personal financial information. How do you assess potential citizen data exposure and notification requirements?”

If Public Trust Implications Are Overlooked:

“Director Chen just learned that news media is asking about government cybersecurity breach during tax season. How do you balance technical response with public trust and transparent government communication obligations?”

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 3 investigation rounds, 1 decision round Focus: Core USB worm discovery and immediate government network containment Simplified Elements: Streamlined regulatory compliance and taxpayer notification complexity Key Actions: Identify USB malware propagation, implement emergency device controls, coordinate field audit suspension

Lunch & Learn (75-90 minutes)

Structure: 5 investigation rounds, 2 decision rounds Focus: Comprehensive USB workflow investigation and taxpayer data protection Added Depth: Government cybersecurity requirements and citizen service continuity Key Actions: Complete forensic analysis of USB worm spread, coordinate regulatory assessment, restore government operations with verification

Full Game (120-140 minutes)

Structure: 7 investigation rounds, 3 decision rounds Focus: Complete government USB outbreak response with state cybersecurity coordination Full Complexity: Taxpayer data breach assessment, public trust management, long-term government USB security policy Key Actions: Comprehensive USB malware containment across government networks, coordinate state cybersecurity response, implement enhanced workflow security while maintaining tax season operations

Advanced Challenge (150-170 minutes)

Structure: 8-9 investigation rounds, 4 decision rounds Expert Elements: Government regulatory technical depth, taxpayer notification strategy, public communication complexity Additional Challenges: Mid-scenario tax season deadline pressure, media scrutiny, citizen data forensics coordination Key Actions: Complete investigation under government operational constraints, coordinate multi-agency response, implement comprehensive USB security architecture while maintaining public trust

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Progressive hints to maintain engagement and learning momentum:

If team is uncertain where to start investigation:

“Field Audit Supervisor Linda Johnson explains that government auditors must collect taxpayer documents at citizen locations, businesses, and accounting offices. They can’t email or network-transfer this sensitive data due to security policies, so USB drives are the only approved method for secure taxpayer information collection. The worm exploits your most security-conscious government workflow. How do you contain USB malware when USB usage is mandatory for citizen data protection?”

Teaching moment: Government security often requires air-gapped and removable media procedures specifically to protect sensitive citizen data. USB malware containment in government environments requires balancing security with operational mandates that rely on physical media transfers.

If team misses citizen notification implications:

“Cybersecurity Analyst Kevin Foster has completed his assessment. The USB malware accessed tax processing systems handling returns for approximately 3.2 million state taxpayers, potentially exposing Social Security numbers, income information, bank account details, and complete financial profiles. State law requires breach notification to affected citizens within 30 days, and media disclosure is mandatory. How does this massive taxpayer exposure change your response priorities and public communication strategy?”

Teaching moment: Government cybersecurity incidents involving citizen data trigger specific legal notification requirements and public trust implications. Response must balance technical remediation with transparent communication and citizen protection obligations that extend beyond typical corporate breach management.

If team overlooks operational continuity criticality:

“Director Patricia Chen reports that you’re two weeks from the state tax filing deadline. Field auditors must complete 5,000+ business audits before then, and each audit requires USB data collection. If you disable USB access, government audit operations stop and businesses can’t meet compliance requirements. If you don’t contain the worm, taxpayer data exposure continues through every audit. How do you resolve this operational impossibility during the most critical government service period of the year?”

Teaching moment: Government USB malware incidents often occur during critical operational windows when workflow dependencies are highest. Effective response requires creative solutions that satisfy both security containment and government service delivery obligations to citizens who depend on these services.

Pre-Defined Response Options

Three balanced response approaches with trade-offs:

Option A: Emergency Government Lockdown & Complete USB Elimination

Option B: Accelerated Parallel Response & Conditional USB Restoration

Option C: Selective System Isolation & Phased Security Recovery

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Discovery & Field Operations Assessment (30-35 min)

Investigation Clues:

Response Options:

Round 2: Taxpayer Data & Public Accountability (30-35 min)

Investigation Clues:

Response Options:

Round Transition Narrative

After Round 1 → Round 2:

The team’s initial response determines whether the agency faces immediate public service disruption (shutdown approach) or continued field operation worm propagation (monitoring/isolation approach). Either way, the situation escalates dramatically when Compliance Officer Robert Park reveals that infected USB drives have accessed taxpayer databases containing sensitive financial information for 45,000 citizens - SSNs, income data, business records. State data breach notification law triggers strict notification timelines and mandatory state-level incident review. This transforms the incident from an internal IT problem to a public accountability crisis with legislative oversight and media scrutiny. Additionally, threat intelligence reveals Raspberry Robin in government agencies typically precedes identity theft and tax fraud operations targeting taxpayer information. State cybersecurity authority demands incident briefing, adding inter-agency coordination pressure to the technical response. The team must now balance taxpayer data protection, public service continuity, state oversight, legislative accountability, and field operation coordination simultaneously under public scrutiny.

Debrief Focus:

Full Game Materials (120-140 min, 3 rounds)

Round 1: Initial Discovery & Government Operations Impact (35-40 min)

Opening: It’s mid-March at the State Department of Revenue - peak tax season with field auditors conducting business compliance reviews across the state. Agency Director Janet Foster receives concerning reports from Field Audit Supervisor Diana Martinez: USB drives used to collect taxpayer records during field audits are creating suspicious files and spreading infection faster than anticipated.

Team Action: Each player takes 2 actions to investigate using their role’s capabilities.

Key NPCs:

Round 1 Pressure Events:

Round 2: Response Strategy & State Oversight Pressure (35-40 min)

Opening: MS-ISAC (Multi-State ISAC) reports Raspberry Robin in government agencies leads to ransomware or identity theft operations. Robert completes taxpayer data assessment: 45,000 citizens’ SSNs and financial information potentially compromised. State data breach notification law triggers 45-day citizen notification requirement. State cybersecurity authority demands incident briefing and remediation plan.

Response Options:

Round 2 Pressure Events:

Round 3: Resolution & Government Sector Security Lessons (35-40 min)

Facilitation Questions: 1. What makes government cybersecurity different from private sector? 2. How do USB threats challenge distributed field operations? 3. What role does public accountability play in government security decisions? 4. How should government balance security and citizen services? 5. What partnerships are valuable for public sector cybersecurity? 6. How have USB threats evolved in government contexts?

Victory Conditions:

Advanced Challenge Materials (150-170 min, 3 rounds)

Additional Complexity Layers

For experienced teams seeking maximum challenge, add these complexity elements:

1. Legislative Oversight & Public Accountability

2. Multi-Agency Coordination Complexity

3. Taxpayer Data Protection & Identity Theft Risks

4. Field Auditor Workforce Dynamics

5. Public Budget Constraints

6. Media and Public Relations in Government Context

7. Tax Season Operational Criticality

Victory Conditions (Advanced Challenge):**