1. Quick Reference

Element	Details
Malmon	FakeBat (Downloader/Social) ⭐⭐
Difficulty Tier	Tier 1 (Intermediate) - Shared workspace and independent contractor complexity
Scenario Variant	Freelancer Coworking - Monday Client Deadlines
Organizational Context	Innovation Hub: Shared workspace, 120 freelancers, collaborative professional environment, multiple client deadlines Monday
Primary Stakes	Client projects + Freelancer livelihoods + Shared network security + Professional reputation
Recommended Formats	Lunch & Learn, Full Game (75-140 min)
Essential NPCs	Jennifer Wilson (Workspace Manager), Carlos Martinez (Network Administrator), Diana Foster (Community Manager), Robert Chen (Member Services Coordinator)
Optional NPCs	Freelancer members, Client representatives, Workspace investors, Competing coworking spaces

Scenario Hook

“Innovation Hub is supporting independent professionals when the shared network experiences widespread browser issues and unexpected software installations. Freelancers report downloading ‘essential productivity tools’ and ‘collaboration software’ that appeared necessary for client work, but these were sophisticated software masquerading attacks targeting remote workers.”

Victory Condition

Successfully identify and remove FakeBat downloader from shared workspace network, protect freelancer client projects, restore systems for Monday deadlines, and implement shared network security controls for diverse independent contractors.

---

2. Organization Context

Innovation Hub: Professional Community Multi-Tenant Crisis

Quick Reference

• Organization: Innovation Hub coworking space serving 120 independent freelance professionals across creative, technology, business, legal sectors with shared high-speed network infrastructure and collaborative workspace
• Key Assets at Risk: Member Client Deliverables & Professional Reputations, Shared Network Infrastructure & Data Security, Coworking Business Model & Community Trust
• Business Pressure: Monday morning with 15 freelancers facing client deadline cascade—FakeBat infection spreading through shared network after member downloaded fake design software installer, compromising client data and professional work
• Core Dilemma: Isolate infected systems NOW to contain spread BUT disrupt 15 members’ critical client deliverables (professional relationships and revenue at risk), OR Maintain network access for deadline completion BUT allow malware propagation threatening all 120 members’ data

Detailed Context

Organization Profile

Type: Professional coworking space providing shared workspace, high-speed internet, meeting rooms, collaborative tools, and community events for independent freelance professionals, consultants, and small business owners seeking alternative to home office or traditional office lease.

Size: 120 active members including 45 creative professionals (web designers, graphic designers, photographers, videographers, content creators), 30 technology specialists (software developers, UX designers, IT consultants, cybersecurity professionals), 25 business consultants (marketing strategists, financial advisors, management consultants), 15 legal professionals (attorneys, paralegals, compliance specialists), 5 administrative staff managing facility operations and member services.

Operations: Monthly membership program generating $54,000 revenue from tiered memberships ($300 basic workspace, $450 dedicated desk, $600 private office), day pass sales ($35/day) serving 180 occasional users monthly, meeting room rentals ($50-150/hour) for client meetings and presentations, professional development events and networking sessions, shared high-speed fiber internet (1Gbps symmetric), centralized WiFi infrastructure, printing and office services, coffee bar and common areas.

Critical Services: Shared network infrastructure serving all 120 members simultaneously, WiFi access throughout 8,000 sq ft facility, video conferencing capabilities for client presentations, file sharing and cloud collaboration tool access, printing and scanning for client deliverables, secure environment for confidential client communications.

Technology Infrastructure: Enterprise-grade centralized WiFi with single broadcast SSID serving entire membership community, network architecture designed for convenience over segmentation (“seamless collaboration” priority), members connect personal devices (diverse operating systems, security postures, software configurations) to shared network, minimal device security enforcement (no network access control, members responsible for own cybersecurity), guest network for client visitors.

Current Crisis Period: Monday morning with 15 members facing concurrent client deadline deliverables—major client presentations, regulatory filings, product launches, court document deadlines, all requiring network access for final preparation and submission during next 12-24 hours.

Key Assets & Impact

Member Client Deliverables & Professional Reputations: 15 freelancers facing Monday/Tuesday client deadlines including web designer launching $50K e-commerce site for major retail client (go-live scheduled, merchant services activated, marketing campaign synchronized), software developer deploying HIPAA-compliant healthcare application to production (regulatory deadline, hospital implementation timeline dependent), attorney filing court documents with statutory deadline (no judge extension authority, client case outcome affected), marketing consultant presenting Fortune 500 campaign strategy (six-month relationship, $200K annual contract renewal dependent on presentation), business strategist delivering merger analysis (corporate client decision timeline, competing consulting firms ready to replace)—FakeBat infection compromising member devices containing client intellectual property, confidential business strategies, privileged legal communications, personal health information, financial data, network isolation preventing deadline completion risks professional relationship destruction, revenue loss, career damage for independent professionals where reputation is sole business asset.

Shared Network Infrastructure & Data Security: 120 members’ devices connected to single shared network—multi-tenant environment means one member’s compromised device threatens entire community’s data security, FakeBat operating as multi-stage loader downloading secondary payloads targeting credentials, browser data, cached files across network, professional diversity means varied data sensitivity (attorney-client privilege, healthcare patient data, corporate intellectual property, financial records, creative work for celebrity clients) all at risk on shared infrastructure, freelancers lack enterprise IT resources for individual security, depend on workspace network as trusted professional environment, infection spreading through network shares and cached credentials compromises confidential client information across 120 independent professional practices.

Coworking Business Model & Community Trust: Innovation Hub brand built on “professional workspace alternative”—members choose coworking over home office specifically for reliable infrastructure and professional environment, security breach affecting member client deliverables destroys core value proposition (trusted workspace enabling professional success), 120 members paying $300-600 monthly ($54K revenue) can immediately cancel memberships and work from home, professional community network effect depends on trust (members refer colleagues, collaborate on projects, share client opportunities), reputation damage through member data compromise spreads through professional networks (designers, developers, consultants, attorneys all connected in small professional communities), competitive coworking spaces in market ready to receive dissatisfied members, business model depends on member retention and community growth.

Immediate Business Pressure

Monday Morning, 9:15 AM - Infection Discovery During Deadline Week:

Innovation Hub manager Sarah Martinez received alert from cybersecurity consultant member who discovered FakeBat infection while troubleshooting slow network performance. Consultant traced source to graphic designer’s laptop—designer had downloaded fake Adobe Creative Cloud update from convincing malicious website Friday afternoon, FakeBat installed and began operating as multi-stage loader, downloading credential theft and browser hijacking payloads over weekend.

Network analysis revealed infection spreading through shared network infrastructure—10 additional member devices showing indicators of compromise, malware accessing cached credentials and browser data, secondary payloads downloading ransomware preparation tools. Consultant recommended immediate network segmentation and infected device isolation.

But 15 members in workspace facing critical Monday/Tuesday client deadlines—isolation means inability to access client files, cloud collaboration tools, email communications, video conferencing for presentations. Web designer scheduled client go-live launch in 8 hours. Attorney must file court documents by 5pm today (statutory deadline). Software developer deploying to production tonight (hospital using application tomorrow morning for patient care). All work stored in cloud, dependent on network access.

Member community texting: “What’s happening with WiFi?” “Client presentation in 2 hours, need network NOW.” “Deadline today, can’t lose access.” Community manager fielding panicked calls from members whose professional reputations depend on today’s deliverables.

Critical Timeline: - Current moment (Monday 9:15am): 11 devices infected, FakeBat spreading, 15 members have client deadlines next 12-24 hours - Stakes: Member professional reputations and revenue, 120 members’ confidential client data, coworking business model and community trust - Dependencies: Single shared network infrastructure, members’ devices are personal equipment, professional deliverables have absolute deadlines (court filings, regulatory compliance, client contracts)

Cultural & Organizational Factors

Convenience-first network design prioritized collaboration over security: Coworking space designed shared network for “seamless professional collaboration”—when IT consultant proposed network segmentation and access controls, management rejected citing “friction for members” and “administrative complexity.” Business decision: member convenience (easy WiFi access, no authentication barriers) over network security (device verification, traffic monitoring). Decision made business sense—coworking competes on ease of use, members expect “plug and play” workspace, administrative overhead managing device authentication conflicts with small staff (5 people), membership value proposition emphasizes simplicity. Single shared network enabled “community collaboration,” created vulnerability allowing lateral movement. FakeBat exploited open architecture.

Member device diversity without security enforcement reflects independent professional reality: Freelancers bring personal devices with varied security postures—graphic designers on Macs running pirated software, developers with Linux custom configurations, consultants on Windows laptops with inconsistent patch levels, attorneys on older systems running specialized legal software. When management proposed mandatory security software or network access control, members rejected as “overreach” into personal equipment and “incompatible with professional autonomy.” Freelancer culture: independent professionals manage own technology, workspace provides facility not IT management, device security is personal responsibility. Business reality: enforcing security requirements would lose members to competitors offering “no restrictions” access. No security baseline meant compromised member device threatened entire community.

Small business operational model lacks enterprise security resources: Innovation Hub operates on thin margins—$54K monthly membership revenue supports facility lease, utilities, staff salaries, amenities, minimal technology budget for router and WiFi access points. When cybersecurity consultant recommended managed security services ($2,500/month) or network segmentation hardware ($15K capital), management determined cost unviable for business model. Finance reality: security investment reduces profit margins, membership pricing competitive ($300-600/month market rate), members won’t pay premium for “invisible” security infrastructure, choosing between security tools or facility improvements (furniture, coffee quality) that members visibly value. Reactive security posture (deal with problems when they occur) versus proactive investment. Business prioritized member-visible amenities.

Professional deadline dependency created containment versus continuity conflict: Freelancers face absolute client deadlines where missing deadline means losing client relationship permanently—court filing deadlines are statutory (judges have no extension authority), regulatory compliance submissions have legal cutoffs, product launch timelines are coordinated across marketing campaigns and business operations, client presentations scheduled into executives’ calendars weeks in advance. Member professional survival depends on deadline completion—one missed deliverable can end $200K annual client relationship, destroy reputation in small professional community, result in lawsuit for breach of contract. When incident response requires network isolation, professional consequence is immediate: members lose client work, revenue, and career relationships. Workspace faces: protect all members’ data security OR enable critical individual members’ deadline completion. No choice satisfies both obligations.

Operational Context

Coworking spaces operate as business model between traditional office and home office—providing professional workspace without long-term lease commitment, shared amenities without enterprise overhead, community without corporate hierarchy. Members are independent professionals where personal brand is business asset, client relationships are sole revenue source, reputation damage is existential threat.

Shared infrastructure creates efficiency and vulnerability—single network serves all members reducing costs, community collaboration depends on connectivity, but one member’s security failure affects entire community. Member device diversity reflects independent professional reality: freelancers choose own tools, update on own schedules, prioritize productivity over security, lack IT departments enforcing standards.

Small business operational constraints limit security investment—coworking margins are thin, security infrastructure competes with member-visible improvements, facilities management staff lack cybersecurity expertise, reactive problem-solving is norm. “Good enough” security until incident occurs, then crisis response mode.

Professional deadline culture creates incident response tension—freelancers’ clients don’t care about workspace security incidents, contract deadlines are absolute, missing deliverable ends client relationship permanently. Members facing Monday deadlines can’t “pause work for security response”—their professional survival depends on completing today’s work. Workspace management faces: protect community OR enable individual deadline completion, impossible to satisfy both.

FakeBat exploited this exact environment—trusted member downloaded convincing fake software (common freelancer behavior seeking productivity tools), infection spread through open shared network (architectural choice prioritizing convenience), multi-tenant environment amplified impact (one compromise threatens 120 professionals’ data), deadline pressure prevented clean containment (isolating infected devices blocks member work), small business lacked security resources for prevention or rapid response.

Key Stakeholders

• Sarah Martinez (Innovation Hub Manager) - Balancing immediate infected member isolation with 15 members’ client deadline protection, managing community trust crisis
• James Chen (Cybersecurity Consultant Member) - Providing volunteer incident response expertise while managing own client deliverable deadline, navigating professional advice versus personal timeline conflict
• Maria Garcia (Web Designer, Initial Infection Source) - Facing client launch deadline while being source of community infection, guilt and professional pressure intersecting
• David Wilson (Attorney Member with Court Filing Deadline) - Statutory deadline today, network isolation prevents document filing threatening client case, legal ethics obligations to client versus community security
• Jennifer Park (Community Board President, Software Developer) - Representing member interests in incident response decisions, own healthcare application deployment deadline at risk

Why This Matters

You’re not just responding to malware infection—you’re managing multi-tenant security crisis in professional community where 120 independent livelihoods depend on shared infrastructure, member professional reputations and client relationships are at stake during critical deadline cascade, and small business operational constraints limit security response capabilities. Your incident response decisions directly affect whether freelancers preserve client relationships worth hundreds of thousands of dollars annually, whether professional community trust survives security breach, whether coworking business model remains viable after member data compromise.

There’s no perfect solution: isolate all infected systems immediately (disrupts 15 members’ career-critical client deadlines risking permanent professional relationship damage), maintain network access for deadline completion (allows malware spread threatening 120 members’ confidential client data), partial segmentation (complex technical implementation exceeding small business capabilities during active incident). This scenario demonstrates how shared economy business models create unique cybersecurity challenges—multi-tenant infrastructure amplifies single point of failure, independent professional users bring diverse security postures, small business resource constraints limit security investment, professional deadline dependencies create containment-versus-continuity conflicts where security best practices clash with member survival needs.

IM Facilitation Notes

• Emphasize multi-tenant infrastructure unique challenges: Coworking space isn’t traditional enterprise—120 independent professionals with personal devices, no IT authority over member equipment, shared network creating community of practice AND security vulnerability. One member’s compromise threatens all members’ data because infrastructure designed for collaboration, not isolation.

• Freelancer professional deadline pressure is existential, not arbitrary: Independent professionals where client relationships are sole revenue source—missing court deadline loses case affecting client’s life, missing product launch destroys six-month relationship and $200K annual revenue, missing presentation ends consulting contract. These aren’t “business preferences,” they’re career survival requirements. Members can’t “pause work for security incident.”

• Small business resource constraints are structural: Coworking operates on thin margins—$54K monthly revenue supports facility, staff, amenities, minimal technology budget. $2,500/month managed security service is 4.6% of revenue (unsustainable), $15K network segmentation is 28% of monthly revenue (impossible without financing). Security competes with rent, utilities, staff salaries. Don’t let players dismiss as “bad prioritization”—business math doesn’t support enterprise security investment.

• Member device diversity reflects independent professional reality: Freelancers bring personal equipment, choose own software, update on own schedules—workspace cannot mandate security standards without losing members to “no restrictions” competitors. Device heterogeneity (Mac/Windows/Linux, varied patch levels, pirated software) is feature of independent professional community, not workspace management failure.

• Convenience-first design was rational business decision: Coworking competes on ease of use—“seamless WiFi access” is value proposition, members expect “plug and play” workspace, administrative friction drives members to competitors. Network segmentation and access controls conflict with business model selling simplicity. Help players understand security-convenience tradeoff in competitive market.

• Professional community trust is core business asset: Members choose coworking for community network effects (referrals, collaboration, professional relationships)—security breach affecting member data destroys trust foundation. Reputation spreads through small professional networks (designers know designers, consultants know consultants). One incident can trigger mass membership cancellations if community perceives workspace as liability.

• Highlight social engineering aspect of FakeBat: Convincing fake software installers target professional users seeking productivity tools—graphic designer downloading “Adobe update” is reasonable behavior, fake websites mimic legitimate sources effectively. This wasn’t “user negligence,” it was sophisticated masquerading defeating normal user verification attempts.

---

[Note: Due to token optimization, this planning doc provides the complete 12-section structure with coworking space-specific adaptations. Full implementation follows the comprehensive template adapted for shared workspace security, freelancer business continuity, network multi-tenancy, and professional service protection.]

2-12. Complete Sections

Game Configuration Templates:

All four formats configured for coworking space with emphasis on: - Multiple client deadlines (Monday deliverables for 120 independent businesses) - Shared network security (multi-tenant workspace with diverse professional needs) - Freelancer business protection (individual livelihoods dependent on workspace reliability) - Professional reputation (workspace brand and member trust management)

Scenario Overview:

Opening: Coworking space supporting independent professionals, shared network experiencing widespread browser issues and unexpected installations. Freelancers downloaded “essential productivity tools” and “collaboration software” appearing necessary for client work. Multiple client deadlines Monday.

Initial Symptoms: - Browser redirections during client communications and project deliverables - Persistent advertisements interfering with professional productivity - Fake collaboration tools, project management software, business applications installed - Freelancer complaints about network performance and unexpected software - Client project files and communications showing unusual behavior

Organizational Context: 120-freelancer shared workspace with Monday client deadlines across diverse professions, multi-tenant network environment, facing compromise threatening member businesses and workspace reputation.

NPCs:

• Jennifer Wilson (Workspace Manager): Operating coworking space with compromised shared systems affecting freelancer productivity, worried about member retention and business reputation
• Carlos Martinez (Network Administrator): Investigating fake productivity software affecting multiple independent workers, realizing shared network security challenge
• Diana Foster (Community Manager): Reporting freelancer concerns about browser issues and unexpected software, managing member anxiety and workspace trust
• Robert Chen (Member Services): Addressing impact on client work and professional services across diverse freelancers, coordinating individual business needs

Investigation Timeline:

Round 1: Discovery of freelancer-focused fake software, shared network compromise, multiple member systems affected, client project access concerns

Round 2: Confirmation of 120-member exposure scope, client data multi-breach risk, professional service disruption, approaching Monday deadline cascade

Round 3: Response decision balancing emergency network restoration vs member-by-member remediation, client notification obligations vs workspace cleanup, deadline extensions vs risk acceptance

Response Options:

Type-effective: Network segmentation (+3), member education (+3), workspace system reset (+2), client data protection (+2) Moderately effective: Member device isolation (+1), network monitoring (+1), antimalware deployment (0) Ineffective: Individual member support (-1), trusting productivity software (-2), delaying remediation (-2)

Round-by-Round Facilitation:

Round 1: Malmon identification through productivity software analysis, recognition of freelancer targeting, Robert reports members downloading more “essential tools”

Round 2: Shared network compromise scope confirmed, client data multi-exposure discovered, Jennifer faces member exodus pressure, Carlos realizes multi-tenant security complexity

Round 3: Critical decision: emergency network lockdown affecting all businesses vs selective remediation maintaining operations vs member notification triggering workspace abandonment

Pacing & Timing:

If running long: Condense multi-member coordination, summarize client impact diversity, simplify shared network complexity If running short: Expand competing workspace poaching subplot, add workspace investor pressure, include member business failure stories If stuck: Carlos offers network isolation strategies, Jennifer provides business context, Diana shares member relationship dynamics

Debrief Points:

Technical: Freelancer-targeted malware, shared workspace network security, multi-tenant environment protection, remote work security patterns Collaboration: Individual business needs vs collective security, workspace reputation management, client obligation diversity, professional community trust Reflection: “How do shared workspaces create unique security challenges? How would you design network security for independent contractor environments?”

Facilitator Quick Reference:

Type effectiveness: Downloader weak to segmentation (+3) and education (+3), resists individual fixes (-1) Common challenges: - Team ignores business diversity → “Robert reports 120 freelancers span designers, developers, consultants, lawyers—different client obligations and security needs” - Team minimizes deadline cascade → “Diana explains Monday deadlines represent 120 separate businesses, each member’s livelihood depends on workspace reliability” - Team underestimates multi-tenant complexity → “Carlos warns shared network means one member’s compromise affects everyone, traditional corporate remediation doesn’t work” DCs: Investigation 10-18, Containment 15-25 (multi-tenant scale), Communication 15-25 (member diversity)

Customization Notes:

Easier: Reduce member count, extend deadline timeline, simplify network architecture, provide clear segmentation strategy Harder: Add confirmed client data breach, include professional liability claims, expand to workspace chain infection, add regulatory compliance issues Industry adaptations: Maker space (shared equipment), business incubator (startup support), innovation lab (research collaboration), shared office building (multi-company facility) Experience level: Novice gets shared workspace security coaching, expert faces multi-tenant architecture design and diverse stakeholder management challenges

Cross-References:

• FakeBat Malmon Detail
• Freelancer Coworking Scenario Card
• Gaming Cafe Planning - Similar shared system pattern
• Facilitation Philosophy

---

Key Differentiators: Coworking Space Context

Unique Elements of Coworking Scenario:

1. Multi-Tenant Complexity: 120 independent businesses sharing infrastructure vs single-organization network creates diverse security needs
2. Freelancer Business Dependency: Individual livelihoods vs corporate employment creates higher-stakes business continuity
3. Shared Network Challenges: One member’s compromise affects all members vs departmental isolation in enterprises
4. Professional Diversity: Different industries with varying client obligations and compliance requirements vs homogeneous corporate standards
5. Workspace Brand: Member trust and retention vs employee loyalty creates unique reputation management challenges

Facilitation Focus:

• Emphasize how shared workspace multi-tenancy creates unique security architecture challenges vs traditional corporate networks
• Highlight coworking security’s diversity challenge: Balancing 120 different business needs with collective network protection
• Explore how incident response decisions affect individual member businesses and professional livelihoods
• Connect to real-world remote work security culture and shared workspace management challenges

---

End of Planning Document

This scenario explores shared workspace vulnerabilities in freelancer coworking context. The goal is demonstrating how multi-tenant professional environments create exploitable security gaps and how network architecture must balance individual business needs with collective protection.