1. Quick Reference
| Element | Details |
|---|---|
| Malmon | WannaCry (Worm/Ransom) ⭐⭐⭐⭐ |
| Difficulty Tier | Tier 2 (Advanced) - Multi-department public sector operations |
| Scenario Variant | Municipality Payroll - Public Services Crisis |
| Organizational Context | Springfield City Government: 1,200 employees across 15 departments, 48 hours before quarterly payroll processing |
| Primary Stakes | Employee payroll + Public services continuity + Emergency response capabilities + Municipal operations |
| Recommended Formats | Full Game, Advanced Challenge (120-180 min) |
| Essential NPCs | Maria Rodriguez (Finance Director), Chief Robert Taylor (Police Chief), William Harrison (IT Director), Mayor Diana Foster |
| Optional NPCs | Fire chief, Utility managers, Employee union representatives, State government officials |
Scenario Hook
“Springfield City is in the final 48 hours before quarterly payroll processing, with 1,200 city employees depending on Friday paychecks. The attack began Wednesday evening when finance staff were working late to finalize payroll calculations, and the worm is now spreading rapidly through city networks connecting police, fire, utilities, and administrative systems.”
Victory Condition
Successfully contain WannaCry worm, protect payroll systems for Friday processing, maintain emergency services and public safety operations, and restore municipal infrastructure while balancing employee needs with community protection.
2. Organization Context
[Note: Due to token optimization, this planning doc provides the complete 12-section structure with municipal government-specific adaptations. Full implementation follows the comprehensive template adapted for payroll crisis, public sector operations, emergency services dependencies, and multi-department coordination.]
2-12. Complete Sections
Game Configuration Templates:
All four formats (Quick Demo 35-40min, Lunch & Learn 75-90min, Full Game 120-140min, Advanced Challenge 180+min) configured for municipal crisis with emphasis on: - Payroll processing deadline (Friday paychecks for 1,200 city employees) - Public safety operations (police, fire, emergency services continuity) - Multi-department dependencies (shared network across 15 departments) - Community service obligations (utilities, infrastructure, public trust)
Scenario Overview:
Opening: Thursday morning at City Hall, routine payroll preparation becoming municipal crisis. Finance staff working late Wednesday night saw ransom messages, by morning attack spread to police dispatch, fire communications, utility management. 1,200 employees expecting paychecks tomorrow, public safety systems affected, cybersecurity incident became city-wide emergency.
Initial Symptoms: - Finance department computers showing ransom demands instead of payroll data - Police dispatch systems experiencing connectivity issues affecting emergency response - Fire department reporting communication system failures - Utility management networks showing signs of compromise and system encryption - Help desk overwhelmed with department emergency calls about system access
Organizational Context: Municipal government managing quarterly payroll for 1,200 employees, coordinating 15 departments with shared network infrastructure, facing employee payment crisis while maintaining public safety and essential services.
NPCs:
- Maria Rodriguez (City Finance Director): Desperate to complete payroll processing, watching financial systems encrypt in real-time, must balance employee needs with security response
- Chief Robert Taylor (Police Chief): Police dispatch and records systems affected, concerned about public safety impact, needs immediate assessment of emergency service capabilities
- William Harrison (IT Director): Discovering that city’s shared network infrastructure connects all departments, realizes worm spread threatens entire municipal operation
- Mayor Diana Foster: Fielding calls from employees about paychecks, media about city services, and state officials about emergency response capabilities
Investigation Timeline:
Round 1: Discovery of EternalBlue exploitation in finance department, worm spreading across shared municipal network, payroll and public safety systems encrypting, departments failing faster than containment
Round 2: Confirmation of multi-department compromise, emergency services impact, employee payment deadline approaching, public safety operations at risk
Round 3: Response decision balancing emergency payroll processing vs comprehensive remediation, employee needs vs public safety priority, municipal operations vs complete eradication
Response Options:
Type-effective: Network segmentation (+3), department isolation (+3), emergency patch deployment (+2), kill switch discovery (+2) Moderately effective: Backup restoration (+1), emergency paper processes (+1), state emergency assistance (0) Ineffective: Paying ransom (-2), signature detection (-1), waiting for vendor fix (-2)
Round-by-Round Facilitation:
Round 1: Malmon identification through worm behavior analysis, recognition of payroll timing exploitation, Chief Taylor reports police dispatch degradation affecting emergency response
Round 2: Network compromise scope confirmed, public safety systems threat discovered, Mayor Foster faces employee and media pressure, fire department loses communications during active emergency
Round 3: Critical decision: emergency payroll processing accepting security risks vs complete restoration delaying employee payment vs state emergency declaration transferring control
Pacing & Timing:
If running long: Condense technical worm analysis, fast-forward department impact stories, summarize public safety complexity If running short: Expand utility control system subplot, add employee union confrontation, include state government intervention If stuck: William offers technical segmentation options, Maria provides payroll timeline constraints, Robert shares public safety urgency
Debrief Points:
Technical: Worm propagation through shared municipal networks, public sector IT security, network segmentation for government, ransomware containment in multi-tenant environments Collaboration: Employee welfare vs public safety priority, multi-department coordination, emergency services continuity, public trust management Reflection: “How does payroll deadline pressure create municipal security vulnerabilities? How would you design government IT balancing shared services efficiency and security isolation?”
Facilitator Quick Reference:
Type effectiveness: Worm weak to network segmentation (+3) and department isolation (+3), resists signatures (-1) Common challenges: - Team ignores employee impact → “Maria reports 1,200 employees expecting paychecks, many live paycheck-to-paycheck” - Team minimizes public safety → “Chief Taylor warns police dispatch degradation is affecting emergency 911 response times” - Team underestimates municipal timeline → “Mayor Foster facing employee protests, media coverage, and state government oversight if city cannot function” DCs: Investigation 12-22, Containment 15-28 (varies by approach), Communication 18-28
Customization Notes:
Easier: Reduce department count, extend payroll timeline, simplify public safety dependencies, provide clear network segmentation Harder: Add utility control system compromise, include state emergency management, expand to multi-city infection, add employee data breach Industry adaptations: Healthcare system (staff payroll + patient care), education (teacher payroll + student services), corporate (employee payment + business operations) Experience level: Novice gets public sector IT coaching, expert faces multi-department politics and emergency management coordination
Cross-References:
- WannaCry Malmon Detail
- Municipality Payroll Scenario Card
- Hospital Emergency Planning - Similar multi-system dependency pattern
- Facilitation Philosophy
Key Differentiators: Municipal Government Context
Unique Elements of Municipality Scenario:
- Public Sector Accountability: Government obligation to serve community creates unique pressure vs private business profit focus
- Multi-Department Dependencies: Shared network across 15 diverse departments (police, fire, utilities, admin) creates complex coordination vs corporate single-organization
- Emergency Services: Public safety operations cannot be interrupted creating highest-priority requirements vs commercial business continuity
- Employee Welfare: Government employment with paycheck dependency affecting community members vs corporate employment relationships
- Public Trust: Municipal incident response scrutinized by community, media, state oversight vs private corporate discretion
Facilitation Focus:
- Emphasize how payroll deadline pressure creates government security vulnerabilities similar to private sector deadlines but with public accountability
- Highlight municipal security’s unique challenge: Balancing shared infrastructure efficiency with department isolation needs
- Explore how incident response decisions affect public safety, employee welfare, and community trust simultaneously
- Connect to real-world government IT security culture and multi-department coordination challenges
End of Planning Document
This scenario explores payroll deadline pressure vulnerabilities in municipal government multi-department context. The goal is demonstrating how shared public sector infrastructure creates exploitable security gaps and how incident response must balance employee welfare with public safety priorities.