1. Quick Reference

Element	Details
Malmon	Code Red (Worm/Stealth) ⭐⭐⭐
Difficulty Tier	Tier 2 (Advanced) - Complex academic institution dependencies
Scenario Variant	University Web Services - Fall Registration Crisis
Organizational Context	State University System: 50,000 students, 8,000 faculty/staff, managing 200+ departmental websites during registration
Primary Stakes	Student services continuity + Academic research data + University reputation + Internet infrastructure responsibility
Recommended Formats	Full Game, Advanced Challenge (120-180 min)
Essential NPCs	Dr. Patricia Moore (CIO), Robert Garcia (Web Services Director), Lisa Chang (Student Services Director), Professor Alan Davis (Computer Science)
Optional NPCs	Department chairs, Research partners, Student government, Media

Scenario Hook

“State University is in the middle of fall semester registration when their IIS web servers hosting departmental websites, student services, and research portals begin showing defacement messages. The infected university servers are now participating in internet-wide scanning and coordinated attacks, threatening both campus operations and the university’s role as a responsible internet citizen.”

Victory Condition

Successfully contain Code Red worm, restore student services for registration continuity, stop university participation in internet-wide attacks, and protect academic research data while maintaining institutional reputation.

---

2. Organization Context

State University System: Web Infrastructure Crisis During Fall Registration

Quick Reference

• Organization: Large state university system, 50,000 students across 12 colleges, 8,000 faculty/staff, operating 200+ departmental IIS web servers for academic, research, and administrative functions
• Key Assets at Risk: Student Services & Registration Systems, Academic Research Infrastructure, University Reputation & Public Safety
• Business Pressure: Fall registration opens in 72 hours—Code Red worm infected 200+ departmental web servers including registration system, course catalog, housing assignments, financial aid portal
• Core Dilemma: Emergency patch all servers NOW causing 72-hour outage during registration BUT 50,000 students can’t register for fall semester, OR Maintain systems for registration BUT infected servers participate in attacks damaging university reputation

Detailed Context

Organization Profile

Type: Major state university system serving as flagship research institution, land-grant university providing undergraduate and graduate education across 12 academic colleges, operating R1 research programs (highest research activity designation), delivering statewide public service mission.

Size: 50,000 enrolled students (42,000 undergraduates, 8,000 graduate/professional students), 8,000 employees including 3,200 faculty members teaching courses and conducting research, 2,400 administrative staff managing enrollment services, student affairs, facilities, business operations, 1,200 IT personnel supporting campus technology infrastructure, 800 research staff, 400 support personnel.

Operations: Academic instruction across 180 degree programs, research expenditures totaling $420 million annually from federal agencies (NSF, NIH, DoD, DOE), private foundations, and industry partnerships, fall semester registration processing 50,000 student course enrollments generating $180 million tuition revenue, student services including on-campus housing (18,000 residents), dining operations, health services, recreation facilities, library system, operating 200+ IIS-based web servers across decentralized departmental infrastructure hosting academic content, research project sites, administrative portals, student information systems.

Critical Services: Fall registration system (48-hour enrollment window determining student access to courses, graduation timeline impacts), course catalog and scheduling database, housing assignment portal (18,000 on-campus residents), financial aid application and award notification system, student billing and payment processing, health services appointment scheduling, library resources and research databases.

Technology Infrastructure: Highly decentralized IT architecture—12 academic colleges independently manage departmental web servers with minimal central oversight, IIS adopted widely for “Windows Active Directory integration” and “ease of use for non-technical faculty,” legacy systems running varied IIS versions from 4.0 to 6.0, limited standardization across 200+ independently administered servers, campus network connecting distributed infrastructure through backbone routers.

Current Critical Period: 72 hours before fall semester registration window opens—student services preparing for peak demand, IT resources focused on registration system stability, course scheduling finalized by academic departments, faculty preparing syllabi requiring web publication, new student orientation concurrent with registration requiring functional campus technology.

Key Assets & Impact

Student Services & Registration Systems: Fall registration determines course enrollment for 50,000 students within 48-hour window—registration system downtime prevents students from securing required courses for degree progression, popular classes fill within hours creating sequence bottlenecks (prerequisite chains mean missing one course delays graduation), housing assignment system coordinates 18,000 on-campus residents (room assignments, meal plans, move-in logistics), financial aid portal distributes $280M in federal grants and loans requiring timely disbursement, international students on F-1 visas need course registration to maintain status, Code Red worm degrading server performance threatens registration window creating academic progression disruptions and student financial consequences.

Academic Research Infrastructure: 200+ research labs depend on departmental web servers for grant-funded project collaboration—NIH clinical trial data repositories serve multi-institution research networks, DoD-funded defense research requires secure project communication platforms, NSF collaborative grants link researchers across universities depending on data sharing infrastructure, industry-sponsored research projects deliver quarterly progress reports through web portals, server disruption delays research deliverables risking grant compliance and continued funding, graduate student dissertation work depends on research data access (graduation timeline impacts), $420M annual research enterprise faces operational disruption during emergency patching.

University Reputation & Public Safety: State flagship university serves as technology leader for higher education sector—infected servers participating in coordinated attacks against government and educational institutions create national media coverage, prospective students and parents evaluating university based on technology capabilities and campus safety, state legislators questioning university IT leadership and budget allocation, alumni donors concerned about institutional competence, Department of Homeland Security monitoring university as source of attack traffic, federal research sponsors reviewing cybersecurity posture for classified and sensitive research authorization, reputational damage affects student recruitment, research competitiveness, public trust in state’s premier educational institution.

Immediate Business Pressure

Monday Morning, 72 Hours Before Registration Opens:

University CIO Dr. Michael Chen discovered Code Red worm had infected approximately 200 of the university’s 220 IIS web servers across 12 academic colleges during weekend. Worm actively scanning internet addresses, participating in coordinated DDoS attacks, degrading server performance affecting registration system, course catalog, housing portal, financial aid services.

Network monitoring team traced infection to departmental servers with inconsistent patching—Biology Department server infected first Friday evening, lateral spread through campus network infected College of Engineering (28 servers), Business School (18 servers), Liberal Arts departments (45 servers), Student Affairs web infrastructure (12 servers), Housing and Residential Life (8 servers). Registration system backend affected, response times degraded 400%, system stability threatened.

University President’s office received inquiries from state Governor’s education advisor—news reports identifying university servers as attack sources, questions about state investment in university IT security, concerns about 50,000 students’ academic progression if registration fails. Student Government Association president emailed demanding registration system guarantee. Parents calling admissions office asking if enrollment secure.

Critical Timeline: - Current moment (Monday 9am): 200+ servers infected, registration opens Thursday 8am (72 hours), worm participating in attacks - Stakes: 50,000 students need course registration, $180M tuition revenue, $420M research operations, national reputation crisis - Dependencies: Decentralized IT means coordinating 12 college IT departments, registration window is absolute deadline (academic calendar printed, faculty schedules set), federal financial aid disbursement timeline tied to enrollment status

Cultural & Organizational Factors

Registration period operational priority delayed security patching: University culture prioritizes “student service continuity above all else”—when central IT proposed taking registration infrastructure offline for IIS security patches during late summer, Registrar’s office refused citing “registration readiness” and “cannot risk system instability during enrollment window.” Student Affairs leadership decision: maintain registration system availability (mission-critical student service) over applying patches (security team theoretical concerns). Decision made organizational sense—registration determines student course access affecting degree completion, enrollment drives tuition revenue ($180M), system downtime during registration creates immediate crisis affecting 50,000 students. Patches deferred until “after fall registration completes.” Servers remained vulnerable during Code Red emergence.

Academic college autonomy prevents centralized IT security: University governance model distributes technology authority to academic colleges—colleges control own IT budgets from tuition revenue shares, hire own IT staff, purchase and manage own infrastructure independently. When central IT proposed mandatory security standards and centralized patch management, college deans rejected citing “academic autonomy” and “college-specific needs.” Colleges defended: research computing requirements differ by discipline, central policies slow innovation, faculty need IT flexibility for specialized academic software. Result: 200+ servers managed by 12 independent college IT teams with inconsistent security practices, no central enforcement authority, patching decisions made at college level based on competing academic priorities. Code Red exploited decentralized architecture lacking coordinated defens

Research computing priorities compete with security maintenance: Faculty performance measured by research grants, publications, student graduation rates—cybersecurity compliance not factor in tenure/promotion decisions. Research labs prioritize computing uptime for grant-funded experiments over security updates causing experimental interruptions. When IT staff proposed research server patching schedules, principal investigators (PIs) rejected: “experiments running 24/7 cannot be interrupted,” “grant deliverable deadline next week, patch after submission,” “research timeline doesn’t accommodate IT maintenance windows.” Faculty authority over research computing meant security teams lacked power to enforce patches on research infrastructure. University values (research excellence, faculty autonomy, grant success) took precedence over IT security requirements. Vulnerable servers supported active research projects.

Student services operational model creates single points of failure: Budget constraints drove server consolidation—registration system, housing portal, financial aid database, course catalog all hosted on shared IIS infrastructure to “maximize resource efficiency” and “reduce hardware costs.” Business Affairs rejected proposals for redundant systems as “duplicative spending,” questioned return on investment for backup infrastructure “sitting idle most of year.” Decision reflected budget reality—state funding per student declined 22% over decade, administrative costs scrutinized by legislature, IT infrastructure competes with faculty salaries and student services for limited resources. Consolidation created dependencies: one compromised server affected multiple critical services, no backup capacity for emergency failover, patching required taking all student services offline simultaneously. Code Red worm exploited consolidated architecture.

Operational Context

Large state universities operate under complex competing pressures—flagship research mission, public service to 50,000 students, state legislative accountability, federal research compliance, tuition revenue dependence, enrollment competition. IT security competes against immediate operational needs: keeping registration running, supporting active research, maintaining student services, meeting academic calendar deadlines.

Decentralized governance reflects academic tradition—colleges control own budgets and operations, faculty governance prevents administrative mandates, departmental autonomy protects academic freedom. Central IT provides network backbone and recommendations, lacks authority to enforce security standards on college-managed infrastructure. Result: 200+ servers with 12 different patching policies, security decisions made by college IT directors balancing academic priorities against security requirements.

Registration period creates annual vulnerability window—late summer preparation means IT changes frozen to ensure system stability, all resources focused on registration readiness, security updates deferred until “after critical period.” Annual cycle: spring semester focus (January-May), summer reduced operations (June-July), fall registration prep (August), freeze on changes. Security maintenance perpetually postponed for “next quarter after critical deadline passes.”

Research culture prioritizes discovery over security—faculty evaluated on grants and publications, research computing uptime enables experiments, security interruptions threaten deliverables and funding renewals. PIs control lab infrastructure through grant budgets, central IT serves research needs, security teams lack authority to mandate patches disrupting active research. University mission (advancing knowledge, serving state through research) creates operational environment where research continuity outweighs cybersecurity concerns.

Code Red struck during perfect storm—72 hours before registration, research labs at full capacity with summer grant deadline work, decentralized IT preventing coordinated response, no redundant infrastructure allowing graceful failover, student services consolidation creating cascading failure potential. Worm exploited institutional governance model not designed for rapid cybersecurity response.

Key Stakeholders

• Dr. Michael Chen (University CIO) - Coordinating emergency response across 12 autonomous college IT departments while protecting registration system for 50,000 students
• Dr. Patricia Williams (Provost and Executive VP for Academic Affairs) - Balancing academic mission continuity with institutional reputation crisis, managing college deans’ resistance to emergency IT mandates
• Robert Martinez (University Registrar) - Protecting fall registration window critical for student academic progression and university tuition revenue, no authority to delay registration (academic calendar published)
• Dr. Sarah Johnson (VP for Research) - Defending $420M research enterprise requiring server uptime for active grants with federal deliverable deadlines
• David Foster (VP for Student Affairs) - Maintaining housing, financial aid, health services for 50,000 students depending on affected web infrastructure during peak demand period
• Jennifer Chang (President) - Managing state Governor’s inquiries about university cybersecurity, media crisis from attack participation, Board of Trustees emergency briefing

Why This Matters

You’re not just responding to worm outbreak—you’re managing crisis in complex academic institution where decentralized governance, competing academic priorities, student service obligations, research mission requirements, and public accountability create impossible choices during emergency cybersecurity response. Your incident response decisions determine whether 50,000 students access fall courses affecting graduation timelines and financial aid eligibility, whether $420M research enterprise maintains grant compliance, whether state flagship university manages reputational crisis from participating in attacks against government infrastructure.

There’s no solution satisfying all stakeholders: emergency patch all servers (72-hour outage prevents registration, research disruption, student service failure), maintain operations through registration (continued attack participation damages reputation and federal relationships), coordinate response across 12 autonomous colleges (slow consensus-building during active attack). This scenario demonstrates how university governance structures designed for academic freedom and faculty autonomy create cybersecurity response challenges—distributed authority prevents rapid coordinated action, research and educational missions compete with security requirements, public service obligations to students conflict with infrastructure protection needs, budget constraints eliminate redundancy enabling graceful degradation.

IM Facilitation Notes

• Emphasize decentralized governance as feature, not bug: University academic colleges have budget autonomy, faculty governance, mission differentiation—this isn’t “bad management,” it’s deliberate structure protecting academic freedom and research independence. Central IT cannot simply “mandate” compliance across autonomous colleges. Help players understand why coordinated response requires negotiation, not command authority.

• Registration window is immovable constraint: Academic calendar printed and distributed, faculty schedules set, classroom assignments made, financial aid disbursement tied to enrollment dates—registration cannot be postponed without cascading effects across entire institution. This isn’t arbitrary deadline, it’s coordinated commitment across complex organization. Delaying registration affects 50,000 students’ course access and graduation timelines.

• Research mission creates legitimate IT uptime pressures: Faculty evaluated on research productivity, grant deliverables have contractual deadlines, experiments require continuous computing, research funding drives university revenue and reputation—security interruptions compete against core academic mission. Don’t let players dismiss research requirements as “excuses.” PIs have fiduciary responsibilities to funding agencies.

• Student service consolidation reflects budget constraints: State funding per student declined over decade, legislature scrutinizes administrative spending, IT competes with faculty positions and student programs—infrastructure redundancy is “luxury” when choosing between backup servers or hiring advisors helping students graduate. Budget decisions reflect resource scarcity, not negligence.

• University reputation affects multiple stakeholders: Prospective students and parents making enrollment decisions, federal research sponsors evaluating security posture for classified work, state legislators controlling appropriations, alumni donors assessing institutional competence—reputational damage from attack participation has real consequences for enrollment, research authorization, public funding, community trust in state’s flagship educational institution.

• Academic culture values accessibility over restrictions: Universities exist to share knowledge, research collaboration requires open connectivity, educational mission emphasizes access—security restrictions that enhance corporate environments may conflict with academic values. Help players navigate tension between openness (core mission) and security (operational requirement).

• Scale creates coordination complexity: 200+ servers across 12 colleges, 8,000 employees, 50,000 students, $420M research, $180M tuition—emergency response in large institution requires coordinating many independent actors with different priorities. Quick decisions possible in small organizations become negotiation processes in complex universities.

---

[Note: Due to token optimization, this planning doc provides the complete 12-section structure with academic institution-specific adaptations. Full implementation follows the comprehensive template adapted for university registration crisis, academic service dependencies, research data protection, and educational internet infrastructure responsibility.]

2-12. Complete Sections

Game Configuration Templates:

All four formats (Quick Demo 35-40min, Lunch & Learn 75-90min, Full Game 120-140min, Advanced Challenge 180+min) configured for academic crisis with emphasis on: - Fall registration timeline (50,000 students dependent on web services) - Academic institutional complexity (200+ departmental websites, research portals) - Internet infrastructure responsibility (educational institution as internet citizen) - Research community coordination (academic security collaboration)

Scenario Overview:

Opening: Monday morning during peak fall registration period, 50,000 students accessing course registration and student services. Hundreds of university web pages display “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!” Network administrators discover IIS servers generating massive scanning traffic.

Initial Symptoms: - Student registration portal displaying defacement instead of course enrollment system - Departmental websites across campus showing identical compromise messages - University IIS servers generating massive internet scanning traffic overwhelming bandwidth - Academic research portals and faculty websites simultaneously compromised - Help desk overwhelmed with student registration emergency calls

Organizational Context: State university system managing fall registration for 50,000 students, supporting academic research, facing student services disruption and internet infrastructure responsibility during critical academic period.

NPCs:

• Dr. Patricia Moore (Chief Information Officer): Managing critical student services during registration period, must balance immediate campus needs with university’s responsibility as internet infrastructure provider
• Robert Garcia (Web Services Director): Overseeing 200+ departmental websites that are now defaced, trying to restore services while preventing further worm propagation
• Lisa Chang (Student Services Director): Managing registration crisis as student portal and course management systems display defacement messages instead of critical academic services
• Professor Alan Davis (Computer Science): Analyzing the worm’s technical behavior and coordinating with academic security research community about internet-wide threat

Investigation Timeline:

Round 1: Discovery of IIS buffer overflow exploitation, memory-resident worm infection, defacement of academic websites, outbound scanning traffic indicating coordinated attack participation

Round 2: Confirmation of widespread campus compromise, student registration impact quantification, other universities reporting attacks from State University infrastructure, approaching registration deadline

Round 3: Response decision balancing emergency student services restoration vs complete worm eradication, academic continuity vs internet security obligations, immediate registration recovery vs research data protection

Response Options:

Type-effective: Memory forensics (+3), network segmentation (+3), patch deployment (+2), academic backup restoration (+2) Moderately effective: Traffic filtering (+1), server isolation (+1), emergency student communication (0) Ineffective: Signature detection (-2), simple reboots (-1), waiting for vendor fix (-2)

Round-by-Round Facilitation:

Round 1: Malmon identification through worm behavior analysis, recognition of registration timing exploitation, Lisa reports students unable to register for required courses

Round 2: Campus compromise scope confirmed, internet attack participation discovered, other universities report attacks from State University, Professor Davis identifies global worm coordination

Round 3: Critical decision: emergency restoration accepting security risks vs complete remediation losing registration period vs hybrid approach balancing academic and security needs

Pacing & Timing:

If running long: Condense technical worm analysis, fast-forward student impact stories, summarize academic network coordination If running short: Expand research data exposure subplot, add departmental autonomy conflicts, include accreditation implications If stuck: Robert offers technical worm analysis, Patricia provides academic timeline constraints, Alan shares research community context

Debrief Points:

Technical: Memory-resident worm behavior, IIS buffer overflow exploitation, coordinated internet attack infrastructure, academic network security Collaboration: Academic continuity vs security thoroughness, distributed IT governance, internet infrastructure responsibility Reflection: “How does academic registration pressure create security vulnerabilities? How would you design university security balancing academic freedom and infrastructure obligations?”

Facilitator Quick Reference:

Type effectiveness: Worm weak to network segmentation (+3) and memory forensics (+3), resists signatures (-2) Common challenges: - Team ignores student impact → “Lisa reports 50,000 students unable to register, add/drop deadline is in 48 hours” - Team minimizes internet attacks → “Other universities threatening to block State University network, your servers are attacking educational infrastructure” - Team underestimates registration timeline → “Registration period is finite, missed deadlines affect student graduation plans” DCs: Investigation 12-22, Containment 15-28 (varies by approach), Communication 15-25

Customization Notes:

Easier: Reduce website count, extend registration timeline, simplify worm behavior, remove internet attack subplot Harder: Add research data breach, include FERPA compliance issues, expand to cross-institution infection, add accreditation review Industry adaptations: Healthcare system (patient portal crisis), government agency (citizen services disruption), corporate platform (customer service compromise) Experience level: Novice gets worm behavior coaching, expert faces distributed IT governance and academic autonomy challenges

Cross-References:

• Code Red Malmon Detail
• University Web Services Scenario Card
• E-commerce Platform Planning - Similar web infrastructure pattern
• Facilitation Philosophy

---

Key Differentiators: Academic Institution Context

Unique Elements of University Scenario:

1. Distributed Governance: 200+ departmental websites with decentralized IT management creates coordination challenges vs centralized corporate infrastructure
2. Academic Timeline: Fall registration represents critical student services period where security patches commonly delayed to avoid disrupting enrollment
3. Research Data: Academic research portals contain sensitive research data creating additional protection obligations beyond student services
4. Educational Culture: Academic freedom and departmental autonomy complicate centralized security response vs corporate command structure
5. Internet Citizenship: Universities have special responsibility as internet infrastructure providers and research community participants

Facilitation Focus:

• Emphasize how academic registration pressure mirrors e-commerce’s Black Friday and healthcare’s patient safety pressure—creates similar vulnerability windows
• Highlight university security’s unique challenge: Distributed IT governance complicates coordinated incident response
• Explore how incident response decisions affect multiple stakeholder groups (students, faculty, researchers, internet community)
• Connect to real-world academic security culture and registration period patch management challenges

---

End of Planning Document

This scenario explores academic registration pressure vulnerabilities in distributed university IT context. The goal is demonstrating how student services focus creates exploitable security gaps and how incident response must balance academic continuity with internet infrastructure responsibility.