INCIDENT ZERO

Disaster Recovery — Print & Play Bundle · v2.2 Playtest Edition

A cybersecurity board game by RetroVerse Studios · CC BY-NC-SA 4.0

Print this file (Ctrl/Cmd+P) or read on screen. Card pages print best on cardstock.

Contents:
  1. docs/HOW_TO_PLAY.md
  2. docs/TO_GUIDE.md
  3. docs/rules/core-rules.md
  4. docs/rules/module-disaster-recovery.md
  5. docs/standalone-games/disaster-recovery.md
  6. cards/disaster-recovery/core-deck/crisis-action-cards.md
  7. cards/disaster-recovery/core-deck/event-cards.md
  8. cards/disaster-recovery/core-deck/stakeholder-cards.md
  9. cards/disaster-recovery/expansion-deck/advanced-scenarios.md
  10. cards/print-templates/tracker-sheets.md

docs/HOW_TO_PLAY.md

How to Play Incident Zero

Version: 2.2 - Playtest Edition Read time: ~15 minutes. First game: ~45 minutes.

This is the learn-to-play manual — read it once, run your first game, then use the module rules as reference during play. Exact tables and numbers live in the reference docs; this manual teaches the flow.


1. What Is This Game?

Incident Zero is a cybersecurity board game for classrooms and training rooms. One player is the Threat Orchestrator (TO) — part facilitator, part adversary, part narrator. Everyone else is the Blue Team: security defenders making decisions under budget and time pressure.

The game's signature rule: you get better dice odds by explaining your reasoning like a real analyst. Say "we investigate suspicious activity" and you roll flat. Say "we pull the mail gateway logs to check the sender's real IP against threat intel" and you roll at +3. Talking like a professional is literally how you win — that's the point.

There are 6 modules covering the security lifecycle. Each is a standalone 30-45 minute game; they also chain together (the outcome of one feeds the setup of the next). This manual teaches Incident Response first — it's the flagship and the best hook.

2. What You Need

3. The Core Loop (all modules)

Every module runs on the same engine:

  1. Turns. A fixed number of turns (announced at setup). Each turn: start-of-turn penalties → 2-3 minutes of team discussion → ONE team action → end of turn.
  2. Budget. One shared pool representing money, staff, and time. Every action costs Budget. Run dry and you can't act.
  3. The d20 roll. Uncertain actions need roll + modifiers ≥ 11.
  4. Justification modifiers. +2 for strong technical reasoning (methodology — why this approach works), +1 for naming real tools or techniques (Wireshark, EDR, Mimikatz, a MITRE technique). The TO judges honestly; vague = +0.
  5. Debrief. Every session ends with 5-10 minutes of "what happened, why, what would you do differently." This is where the learning locks in — don't skip it.

4. Your First Game: Incident Response (Beginner)

The setup (TO does this privately, 5 min): An attacker is inside the fictional company's network. The TO secretly builds a 3-card attack chain in kill-chain order and keeps it face-down:

Suggested first chain: T-01 Phishing Campaign (INITIAL COMPROMISE / SOCIAL ENGINEERING) → T-04 Lateral Movement via SMB (PIVOT & ESCALATE / NETWORK) → T-07 Scheduled Task Persistence (PERSISTENCE / MALWARE)

The three actions (Blue Team picks ONE per turn):

Action Cost On success (roll+mods ≥ 11)
Investigate 5 1st success on a link = the TO gives a clue. 2nd success on the same link = card revealed!
Deploy Defense 10/15/25 by tier If the card's vector AND chain step match the hidden card = revealed immediately. Partial match = defense stays on the table and gives +2 to future rolls against any link matching its vector
Emergency Response 15 No roll. Contain one already-revealed threat (removes its ongoing penalty)

The pressure (TO applies at the START of each turn): - Active Breach Cost: -5 Budget while any chain card is still unrevealed (the breach is burning money whether you see it or not) - Uncontained Threats: -5 Budget per revealed-but-uncontained threat (revealing the next card in the chain auto-contains the previous one)

When a card is revealed, the team immediately picks ONE reward: draw 2 Defense cards, +10 Budget, or Fast-Track (next Investigate succeeds on 5+).

Scripted opening — read this at the table

TURN 1. TO: "Start of turn: one attacker action is still hidden — Active Breach Cost, minus 5. Budget: 95. Something is wrong at Meridian Logistics: the helpdesk queue is full of password-reset complaints. What do you do?" Team (after discussion): "Investigate. We pull the mail gateway logs and check sender domains against our threat-intel feed — if this is phishing, the return-path won't match the display name." TO: "That's a real methodology and a real tool — +2 and +1. Roll." Rolls 9. 9+3 = 12 ≥ 11 — success. TO reads a clue from T-01: "Several employees received emails claiming to be from IT, asking them to 're-authenticate'. The link goes to a look-alike domain registered 4 days ago." (First success on this link — clue only. Budget: 95 - 5 = 90.)

TURN 2. TO: "Active Breach Cost, minus 5. Budget: 85." Team: "Keep digging on the phishing — we check the mail gateway for who clicked, and pull those workstations' proxy logs." TO: "+2, +1. Roll." Rolls 10. 13 ≥ 11 — second success on the same link. TO flips T-01 face-up: "Phishing Campaign — revealed! Three users entered credentials on the fake page. This threat is now uncontained. Choose a reward." Team takes Budget Grant: 85 - 5 + 10 = 90.

TURN 3. TO: "Two cards still hidden: Active Breach minus 5. One uncontained threat: minus 5. Budget: 80. You know how they got in — you don't yet know where they went." From here, you're on your own. (A strong play: Deploy the Network Segmentation defense — if the next hidden card is network lateral movement, vector + step match reveals it instantly and auto-contains the phishing.)

How it ends

Debrief prompts: What did you spend the most on, and was it worth it? Which clue actually changed your next decision? What one defense, bought before turn 1, would have changed everything?

5. The Other Five Modules (one paragraph each)

Chaining modules: outcomes carry forward (audit gaps raise your DR costs; an IR loss sets up DR; IR's revealed chain seeds Forensics). See Module Combinations. Full lifecycle = all six in sequence, 4-5 hours across sessions.

6. Where to Go Next

You want... Read
You're the Threat Orchestrator The TO Guide — the role, judging justifications, per-module screens
Exact rules for a module docs/rules/ — core + one file per module
Solo/standalone setup for any module docs/standalone-games/
Every card, indexed cards/CARD_REFERENCE.md
To run a playtest and report back docs/playtesting/
Variable game length & difficulty tiers core-rules §3a

7. Quick Reference (photocopy this)

Roll: d20 + modifiers ≥ 11 · +2 strong justification · +1 real tool/technique named · +2 matching deployed defense (IR) IR costs: Investigate 5 · Deploy 10/15/25 · Emergency Response 15 IR start-of-turn: -5 while any card hidden · -5 per uncontained revealed threat Reveal: 2 successful Investigates on a link, or 1 full-match Deploy (vector + step) · always the earliest unrevealed card Reward per reveal (pick 1): 2 Defense cards / +10 Budget / next Investigate succeeds on 5+ Turn limit: (chain cards × 2) + 1 → 3 cards = 7 turns Budgets: NB 40-60 · DR 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150

docs/TO_GUIDE.md

The Threat Orchestrator's Guide

Version: 2.2 - Playtest Edition Audience: anyone about to run Incident Zero — teacher, trainer, or the friend who volunteered.


1. The Role

The Threat Orchestrator (TO) is Incident Zero's dungeon master. You wear three hats, usually in the same minute:

If you've ever run a tabletop RPG, you already have 80% of this. The remaining 20% is the adjudication rubric in §4 — it's the part that makes this game educational rather than just thematic.

A good TO makes the game. The same scenario is flat or unforgettable depending on how you deliver clues and how honestly you judge reasoning. That's why this guide exists.

2. Golden Rules

  1. Be fair, not nice. Never fudge dice — in either direction. The rules already give you legitimate difficulty dials (§5); use those, not your thumb on the d20.
  2. Never block on ignorance. If players are stuck, sell them a hint through the fiction ("your SOC junior suggests looking at outbound traffic...") rather than letting three turns die in silence.
  3. Announce costs before actions. "That's 15 Budget — confirm?" prevents every argument you'd otherwise have.
  4. Explain outcomes. Success or failure, say why in security terms. The explanation is the lesson; the roll is just pacing.
  5. Keep the clock. 2-3 minutes of planning per turn, firmly. Deliberation past that point is quarterbacking, not strategy.
  6. Let them be wrong. A confidently wrong plan that fails teaches more than a corrected plan that succeeds. Save the correction for the debrief.

3. Session Prep (15 minutes)

4. Judging Justifications (the heart of the job)

The +2/+1 modifiers are the game's teaching engine. Your consistency is what makes them meaningful.

+2 — Strong technical justification. The player explains methodology: what they'll look at, and why that would reveal or stop this specific thing. - ✅ "We pull the mail gateway logs and compare the return-path against the display-name domain — spoofed senders won't match." (mechanism stated) - ✅ "Deploy EDR because living-off-the-land attacks won't trip signature AV — we need behavioral detection." (threat-to-control logic) - ❌ "We investigate the email server thoroughly." (a location is not a method)

+1 — Real tool or technique named. Wireshark, Splunk queries, Mimikatz, a MITRE technique ID, an actual CVE. - ✅ "Check LSASS access events — that's Mimikatz behavior, T1003." - ❌ "We use our security tools." (no it isn't)

Rulings that keep it fair: - Judge the reasoning, not the vocabulary. A beginner saying "check if the email really came from who it says" in plain words has the mechanism — award the +2. A buzzword salad without a mechanism gets +0. - Consistency beats generosity. Whatever bar you set on turn 1 is the bar all game. - Escalate the bar as the group learns — by session three, "we check the SIEM" that earned +1 in session one should need a specific query. Announce the escalation openly ("you're professionals now — I want specifics"). - Expert groups ("Expert Mode"): award +2 only for named artifacts, ATT&CK technique IDs, or detection logic. This is the challenge ceiling for practitioner tables — the card math never has to change. - One player monologuing every justification? Ask a different player to give it each turn ("Sam, you're on comms — why does this matter to the regulator?").

5. Difficulty Dials (live, legitimate)

Signs it's too easy: no failed rolls; goal in sight with 40+ Budget spare; players bored. Signs it's too hard: no progress for 3+ turns; consecutive failures; frustration replacing discussion.

Easier (pick 1-2) Harder (pick 1-2)
Richer clues (more specific detail per success) Vaguer clues (accurate but terse)
Suggest an angle through the fiction Expert-mode justification bar
Shorter chain / lower tier next game Longer chain, expansion cards
Beginner budgets (module max) Minimum budgets

Never adjust by fudging a roll or changing a printed number mid-game — players smell it, and it teaches that outcomes are arbitrary.

6. Failure Modes (yours, not theirs)

Failure Symptom Fix
The Encyclopedia You lecture after every roll One sentence of "why," save the rest for debrief
The Softie Everyone always gets +2 Re-read §4; require the mechanism
The Sphinx Clues so cryptic nobody moves Clues must be actionable: each should suggest at least one sensible next investigation
The Railroader You steer them to your solution Multiple paths are valid; score the outcome, not the route
The Accountant You narrate numbers, not events Lead with fiction, then state the numbers
The Rusher Debrief skipped because time ran out Protect the last 10 minutes like it's the win condition — it is

7. Module Panels (your screen, one per module)

🔎 Incident Response — you are the hidden attacker

🛡️ Hardening — you become the pentester mid-game

🏗️ Network Building — you are the demanding business

🚨 Disaster Recovery — you are the crisis itself

🔬 Forensics — you are the evidence

📋 Audit & Compliance — you are the organization under review

8. Running the Debrief (10 minutes, non-negotiable)

Three rounds, in order: What happened? (players narrate, you correct only facts) → Why did it work that way? (connect two or three key moments to real-world security — this is where you finally get to lecture, briefly) → What would you do differently? (go around the table; everyone answers). Losses debrief better than wins: read any unrevealed cards' "Why This Works" text aloud — it's the payoff for losing.

9. First Session? Do This

  1. Run beginner Incident Response with the scripted opening in How to Play §4 — your first two turns are literally written out
  2. Keep the tracker sheet visible to everyone; public state builds trust in your fairness
  3. Log frictions on the session notes form — your confusion is playtest data too
  4. Forgive yourself one rules mistake per session; announce it, fix it forward, don't replay

docs/rules/core-rules.md

Incident Zero: Core Rules & Mechanics

Version: 2.2 - Playtest Edition Last Updated: October 2025


Core Concept 🎯

Incident Zero is a modular cybersecurity board game for 2+ players designed for educational environments. One player acts as the Threat Orchestrator (TO) (the facilitator), while all other players form Blue Teams (the Defenders).

How It Works

Players choose which module(s) to play based on learning objectives:

  1. Network Building Module - Design and secure infrastructure (30-45 min)
  2. Hardening Module - Build defense-in-depth (30-45 min)
  3. Incident Response Module - Detect and investigate hidden attack chains (30-45 min)
  4. Disaster Recovery Module - Manage breach crisis (30-45 min)
  5. Forensics Module - Investigate and attribute attacks (30-45 min) NEW in v2.1
  6. Audit & Compliance Module - Conduct security assessments (30-45 min)

Modules can be played solo or combined in any sequence using the modifier generation procedures documented in FRAMEWORK.md and Module Combinations.


Game Components (Universal)

Card Types

Threat Cards

Represent attacker actions. Each card includes: - Title: e.g., "Phishing Campaign" - Attack Chain Step: INITIAL COMPROMISE, PIVOT & ESCALATE, PERSISTENCE, or C2 & EXFIL - Attack Vector: SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, or DATA EXFIL - Clue: Descriptive text for the Threat Orchestrator - Why This Works: Educational explanation (revealed after discovery)

Deck Composition: - 12 Base Threat Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 8 Expansion Threat Cards (see cards/incident-response/expansion-deck/advanced-threats.md)


Defense Cards

Represent security controls. Each card includes: - Title: e.g., "Multi-Factor Authentication" - Countermeasure Vector: One of the six attack vectors - Tier: BASIC (10 Budget), ADVANCED (15 Budget), or ELITE (25 Budget) - Description: What the defense does and when it applies

Deck Composition: - 24 Base Defense Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 19 Expansion Defenses (see cards/incident-response/expansion-deck/advanced-defenses.md)

Examples: - BASIC: Email Authentication Setup, User Security Training, Firewall Rules (10 Budget) - ADVANCED: Multi-Factor Authentication, EDR, Network Segmentation (15 Budget) - ELITE: Threat Hunting, Memory Forensics, Deception Technology (25 Budget)


Pentester Tactic Cards

Represent sophisticated attack techniques used in Hardening module (and potentially others).

8 Core Tactics (PT-01 to PT-08): 1. PT-01: Social Engineering - Pretexting Attack 2. PT-02: Malware Evasion - Living-off-the-Land Technique 3. PT-03: Credential Dumping - Mimikatz Attack 4. PT-04: Lateral Movement - Network Traversal 5. PT-05: Privilege Escalation - Unpatched Kernel Exploit 6. PT-06: Data Exfiltration - Unmonitored Channel 7. PT-07: Supply Chain Compromise - Trusted Software Update 8. PT-08: Insider Threat - Malicious Administrator

See cards/hardening/core-deck/pentester-tactic-cards.md for full card text, plus 8 expansion tactics (PT-09 to PT-16) in advanced-tactics.md.


Asset Cards

Simple cards providing scenario context. Examples: - Email Server - Customer Database - Domain Controller - Web Application - Backup System - Developer Workstation


Game Materials Required

Physical Components: - One 20-sided die (d20) - Turn Tracker (paper or board, counts 1-12+) - Budget Tracker (shows 0-150+) - Reputation/Security Score Tracker (shows 0-100) - Uncontained Threats Tracker (shows 0-5) - Tokens or counters (for tracking upgrades, penalties)

Optional: - Score sheets (printable or paper) - Playbook tracking sheet - Stakeholder communication log (for Disaster Recovery)


Universal Game Mechanics

1. The d20 Roll System

When Used: Investigation, Defense Deployment, Negotiation, and similar actions that have uncertain outcomes.

How It Works: 1. Player announces action and parameters 2. Player rolls 1d20 (one 20-sided die) 3. Compare result to target number (usually 11+) plus modifiers 4. Success if: roll + modifiers ≥ target number

Example:

Action: Investigate email headers
Target: 11+
Roll: 7
Modifiers: +2 (technical justification) +1 (referenced Splunk)
Calculation: 7 + 2 + 1 = 10
Result: FAIL (10 < 11)

2. Budget System (Universal)

What is Budget? Abstract resource representing time, money, personnel, and tools. Spent to take actions, buy defenses, or conduct investigations.

Budget Allocation by Module: - Network Building: Start at 40-60 (by difficulty; see module rules) - Hardening: Start at 150 (or carry over from IR) - Incident Response: Start at 100 - Disaster Recovery: Start at 50 (emergency fund) - Forensics: Start at 75 - Audit & Compliance: Start at 100 (used only for optional remediation cards)

Budget Spending: - Investigate action: 5 Budget - Deploy Defense: 10/15/25 Budget (by tier) - Emergency Response (IR): 15 Budget (v2.2; was 25) - Active Breach Cost (IR, v2.2): -5 Budget at start of each turn while any chain card remains unrevealed - Harden Upgrade (Hardening): 5 Budget - Create Playbook (Hardening): 10 Budget - Crisis Action cards (DR): 5-20 Budget per card (ACTION-01 to ACTION-12; the free "Holding Statement" costs 0) - Ransom Decision (DR, ACTION-13): Pay 20 / Negotiate 5 / Refuse 0

Budget = 0: Team loses (cannot take further actions)

Exception (Disaster Recovery, v2.2): Budget floor is 0 and the free Holding Statement action remains available — DR is never lost by running out of Budget; DR's loss condition is any stakeholder trust reaching 0%.


3. Turn System (Universal)

Turns represent: Time passing in the game world (6 hours, 30 minutes, or abstract unit depending on module)

Turn Sequence: 1. Start of Turn: Penalties applied, trackers announced 2. Planning Phase: Team discusses strategy (2-3 min) 3. Action Phase: Execute chosen action, resolve rolls 4. End of Turn: Advance tracker, draw card, check events


3a. Variable Game Length System (v2.1 - New!)

Philosophy: In real incident response, some attacks move fast (hours), some take months. Fixed turn lengths feel unrealistic. This system adds realism without requiring complex calculations.

For Beginners & Quick Play: Default Formula

Default Formula: (Attack Chain Cards × 2) + 1

This gives attackers enough time to progress realistically while keeping games manageable:

Attack Chain Formula Turn Count Session Duration
3 cards (3 × 2) + 1 7 turns 30-40 min play
4 cards (4 × 2) + 1 9 turns 35-45 min play
5 cards (5 × 2) + 1 11 turns 40-50 min play
6 cards (6 × 2) + 1 13 turns 45-55 min play

How to Use Default Formula: 1. Choose number of threat cards in attack chain (3, 4, 5, or 6) 2. Apply formula: (Cards × 2) + 1 = Turn Count 3. Announce turn count to Blue Team 4. Play game normally with that turn limit

Example Setup:

"I've created a 4-card attack chain. That's (4 × 2) + 1 = 9 turns. You have 9 turns to detect all four threats. Go!"


For Advanced Players: Complexity Tiers (v2.1)

Advanced Threat Orchestrators can use a Tier + d4 system for more control and variability:

Step 1: Select Attack Complexity Tier

Tier Turn Base Attack Profile Example
TIER 1 5-7 Simple & obvious Script kiddie using public tools
TIER 2 8-10 Standard sophistication Organized cybercriminal group
TIER 3 11-13 Highly sophisticated APT with operational security
TIER 4 14-16 Expert/Nation-state State-sponsored group

Step 2: Add Randomness (Optional)

Roll 1d4 for variation: - Roll 1: -1 turn (tight timeline) - Roll 2 or 3: ±0 turns (no change) - Roll 4: +1 turn (extended dwell time)

Final Turn Count = Tier Base + d4 Result

Example Advanced Setup:

"This is a TIER 2 attack (organized cybercriminals). Base is 8-10 turns. I'll roll d4 for variation... [rolls 4, +1 turn]. Final turn count: 9-11 turns."


Critical Game Integrity Rules (v2.1)

These rules protect game balance and prevent metagaming:

Rule 1: Accept Any Roll (Even If It Feels Wrong)

The Rule: Threat Orchestrators MUST accept the random result, even if it feels impossibly tight or loose.

Why: Real incident response is unpredictable. Sometimes attacks happen faster or slower than expected.

Example Scenarios: - TIER 3 attack (11-13 base) + d4 roll of 1 = 10-12 turns (tighter than expected, but realistic) - TIER 1 attack (5-7 base) + d4 roll of 4 = 6-8 turns (easier conditions, but acceptable)

When Chaos Feels Realistic: - Tight timeline: "The attacker worked faster than expected—they had prior knowledge" - Loose timeline: "The attacker was cautious, spending weeks in reconnaissance before striking"

Implementation: Lean into the randomness as realistic incident variability.


Rule 2: Players Cannot Question Tier Based on Turn Count

The Rule: Blue Team CANNOT deduce the attack tier from the announced turn count. They cannot ask "Is this TIER 2?" or "Is this TIER 4?" based on how many turns they have.

Why: Real incident response doesn't come with difficulty labels. Attackers don't advertise sophistication. Players should discover complexity through gameplay (attack chain complexity, defender evasion, tool sophistication, etc.).

What Players CAN Ask: - "What are the suspicious network events?" (leads to understanding threats) - "Can we analyze the malware?" (reveals attacker sophistication through findings) - "Why did this attack succeed?" (post-game discussion)

What Players CANNOT Ask: - "Is this a TIER 2 attack?" (deriving tier from turn count) - "This looks like a TIER 1 because we have 7 turns" (meta-gaming difficulty)

Implementation: Respond to difficulty questions by saying "Investigate and find out!" Players discover sophistication through evidence, not from turn counts.


Rule 3: TO Modifier Authority (Rare & Optional)

The Rule: ONLY after rolling d4, the Threat Orchestrator may apply an optional ±1 turn adjustment IF the rolled result feels genuinely unreasonable for the scenario.

When to Use (Rare): - Scenario setup is unusually complex (multiple attack vectors, coordination across systems) - Player group is new and needs slightly easier conditions - Real-world incident being taught had specific timeline constraints

When NOT to Use (Prefer Random): - "The roll feels unlucky" (accept the chaos) - "I want this exactly 10 turns" (let dice decide) - "The attack chain is long so it should take longer" (that's what TIER system handles)

Implementation: 1. Roll d4 normally 2. Announce rolled result 3. ONLY IF genuinely unreasonable, apply ±1 modifier and explain why 4. Document the override for consistency in future scenarios

Example Valid Use:

"TIER 2 base 8-10, rolled -1 = 7-9 turns. That's tight given we have 5-card attack chain, so I'm adding +1 modifier (explaining the discovery is methodical). Final: 8-10 turns."

Example Invalid Use:

"I rolled 8-10 but I want 10-12, so I'm adding +2." (NO - use the roll as-is)


Implementation Checklist

For Beginners (Use Default Formula): - [ ] Choose attack chain length (3, 4, 5, or 6 cards) - [ ] Calculate: (Cards × 2) + 1 - [ ] Announce turn count - [ ] Play

For Advanced (Use Tier + d4): - [ ] Select TIER (1, 2, 3, or 4) - [ ] Announce TIER basis (not the number, just why it's that complexity) - [ ] Roll d4 for variation (hidden or public, your choice) - [ ] Calculate final turn count - [ ] Apply Rule 3 modifier if genuinely needed (rare) - [ ] Announce final turn count WITHOUT revealing tier


Quick Reference Card

Default Formula: Turn Count = (Attack Cards × 2) + 1

Tier System: - TIER 1: 5-7 turns (simple) - TIER 2: 8-10 turns (standard) - TIER 3: 11-13 turns (advanced) - TIER 4: 14-16 turns (expert) - Add d4 roll: -1, 0, 0, or +1

Golden Rules: 1. Accept any roll (embrace chaos) 2. Never reveal tier to players 3. Modifier authority only when truly needed (rare)


4. Roll Modifiers (Universal)

All modules use the same modifier system for consistency:

+2 Bonus: Strong Technical Justification

Awarded when a player provides clear, specific reasoning for their action using real security concepts.

Examples: - "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds" - "We're deploying EDR on all endpoints because it can detect living-off-the-land techniques" - "We're querying our SIEM for scheduled task creation events because attackers use them for persistence"

Criteria: - References specific tools (Splunk, EDR, SIEM, etc.) - Explains methodology (why this approach works) - Shows understanding of the threat being addressed


+1 Bonus: Real Tools or Techniques Referenced

Awarded when player references actual security tools or real attack/defense techniques.

Examples: - "We'll use Wireshark to analyze the network traffic" - "We're checking for Mimikatz usage in memory" - "We're reviewing EDR telemetry" - "We're looking for this specific CVE exploitation pattern"

Criteria: - References real tools (Wireshark, EDR, Splunk, etc.) - References real techniques (MITRE ATT&CK, specific CVEs) - Shows awareness of how things actually work


5. Uncontained Threats Penalty (Incident Response Module)

When Applied: Incident Response module only, applied at START of each turn

How It Works: 1. When a threat card is revealed, add 1 to Uncontained Threats Tracker 2. At START of each turn, deduct 5 Budget per uncontained threat 3. When next card in chain is revealed, previous threat is auto-mitigated (-1 from tracker) 4. When Emergency Response action is used (15 Budget), remove a revealed threat (-1 from tracker)

Companion rule — Active Breach Cost (v2.2): while at least one chain card remains unrevealed, deduct an additional flat -5 Budget at the start of each turn. Hidden attackers cost money too.

Purpose: Creates urgency - dwell time costs money, whether you've found the attacker yet or not. Teaches real-world incident response costs.

Example (uncontained penalty only; Active Breach Cost also applies while cards remain hidden):

Turn 1: Phishing revealed → Uncontained Threats = 1
Turn 2: START → Deduct 5 Budget (95 remaining from 100)
Turn 3: Lateral Movement revealed → Phishing auto-mitigated (Uncontained = 1)
Turn 3: START → Deduct 5 Budget
Turn 4: Emergency Response on Lateral Movement (15 Budget) → Uncontained Threats = 0

Common Roles & Responsibilities

Threat Orchestrator (Facilitator)

Responsibilities: - Manage game state and track turns/budget - Describe scenarios and outcomes - Roll dice when action outcomes are uncertain - Guide the narrative

During Incident Response: - Create and manage hidden attack chain - Provide clues based on successful investigations - Control Uncontained Threats penalties - Be fair but challenging

During Other Modules: - Describe threat context and defenses - Draw Pentester Tactic cards (Hardening) - Manage timeline and deadlines (Disaster Recovery) - Guide debrief questions

Universal Tips: - Explain why actions succeed or fail - Ask clarifying questions about player strategy - Balance challenge with learning - Provide constructive feedback


Blue Team (Defenders)

Responsibilities: - Discuss strategy as a team - Choose one action per turn - Justify your decisions (gain +2 modifier) - Manage budget carefully - Learn from success and failure


Modifier Stacking Rules

Key Rule: Modifiers are additive and can stack.

Example (Hardening Module, canonical formula — v2.2):

Pentester Tactic: PT-02 Living-off-the-Land (DC 13)

Defense roll = d20
  + printed bonus for the ONE defense chosen (D-08 EDR vs PT-02: +3)
  + hardening upgrades on that defense (+2 each; one upgrade: +2)
  + relevant playbook (+3)

Team rolls 8:
8 + 3 (EDR) + 2 (upgrade) + 3 (playbook) = 16 ≥ 13 = SUCCESS

Only the single chosen defense's printed bonus applies — deployed defenses do not stack with each other against one tactic.


Difficulty & Scaling

By Attack Chain Length

Length Difficulty Best For
3 cards Beginner Learning mechanics, 30 min sessions
4 cards Intermediate Standard play, 40 min sessions
5 cards Advanced Challenge play, full kill chain

By Starting Budget

Budget Difficulty Best For
60 Hard Resource scarcity, tough choices
100 Standard Balanced play, most scenarios
150+ Easy Strategic depth, multiple options

By Turn Limit

Turns Difficulty Best For
8 Hard Time pressure, fast play
10 Standard Balanced, most scenarios
12 Easy Exploration, learning

Note (v2.2): Incident Response derives its turn limit from the Variable Game Length formula — (Attack Chain Cards × 2) + 1 → 7/9/11 turns (see §3a). The table above is for modules with educator-set limits.


Educational Objectives

By Module

Module Primary Learning Secondary Learning
Incident Response Cyber kill chain, attack detection, investigation Resource prioritization, incident response
Hardening Defense-in-depth, layering, proactive security Cost-benefit analysis, security architecture
Disaster Recovery Crisis management, stakeholder communication Risk assessment, incident cost
Network Building Network design, asset security, architecture Infrastructure hardening, threat modeling
Forensics Digital forensics, chain of custody, attribution Evidence handling, MITRE ATT&CK mapping
Audit & Compliance Security assessment, governance, compliance Risk identification, remediation prioritization

By Game Mechanic

Mechanic What It Teaches
d20 roll system Uncertainty, risk, informed decision-making
Budget constraints Resource allocation, prioritization
Justification bonuses Technical reasoning, tools/techniques knowledge
Uncontained Threats penalty Urgency, cost of dwell time
Pentester Tactics Attacker sophistication, defense limitations
Playbook system Preparation, incident response planning
Scoring systems Outcome measurement, quality assessment

Cooperative vs. Competitive Play

Cooperative Mode

Competitive Mode

Implementation: - Same setup for all teams - Teams cannot share information (Incident Response) - Score comparison determines winner (Hardening) - Reputation comparison (Disaster Recovery)


Debrief & Reflection (Universal)

Every module should include a 5-15 minute debrief with three sections:

Part 1: What Happened?

Part 2: Why Did That Happen?

Part 3: What Would You Do Differently?


Tips for Threat Orchestrators (Universal)

Before the Game

  1. Read the module rules completely - Know what's coming
  2. Prepare your scenario - Pre-build attack chain or threat context
  3. Organize materials - Sort cards, prepare trackers
  4. Know your balancing points - Be ready to adjust difficulty if needed
  5. Practice reading clues - Deliver them dramatically!

During Gameplay

  1. Be clear about costs - Announce Budget before action
  2. Resolve rolls immediately - Announce target, let player roll, resolve
  3. Ask clarifying questions - "Why are you investigating email headers?"
  4. Be fair but challenging - Give honest difficulty, don't fudge rolls
  5. Narrate outcomes - Describe what happens, not just success/failure
  6. Manage pacing - Keep turns moving (2-3 min discussion max)
  7. Track penalties accurately - Keep budget, turn, and threat trackers visible

Balancing Difficulty

Too Easy Signs: - Team reveals all cards/achieves goal with 40+ budget remaining - No failed rolls - No meaningful decisions required - Team is bored

Too Hard Signs: - Team is stuck/making no progress after 5 turns - Multiple consecutive failed rolls - Team frustrated rather than challenged - No learning happening

Adjustment Options: - Easier: Provide better clues, more starting budget, fewer tactics - Harder: Less specific clues, lower budget, more tactics - Faster: Shorter turn limits, simpler scenarios - Slower: More turns, more complex scenarios


Card Reference

For complete card descriptions, see: - Base Threat & Defense Cards cards/incident-response/core-deck/threat-defense-cards.md - Expansion Threats cards/incident-response/expansion-deck/advanced-threats.md - Expansion Defenses cards/incident-response/expansion-deck/advanced-defenses.md - All decks indexed cards/CARD_REFERENCE.md


Module-Specific Rules

For complete rules on each module:


Quick Reference: Universal Mechanics

d20 Roll System

Budget System

Turn System

Penalties & Bonuses


Continuing to Next Steps

For your first game: 1. Choose a module from Module Combinations 2. Read the module-specific rules 3. Read the standalone setup guide 4. Prepare your scenario 5. Play!

For multiple modules: 1. Refer to Module Combinations for recommended sequences 2. Refer to FRAMEWORK.md for modifier generation procedures 3. Play first module, generate modifiers for next 4. Continue as desired


Need Help?


Incident Zero: Core Rules & Mechanics v2.1 - Balanced & Refined Edition Universal rules for all modules

docs/rules/module-disaster-recovery.md

Disaster Recovery Module: Rules & Mechanics

Version: 2.2 - Playtest Edition Last Updated: October 2025

v2.2: the card system is canonical. The Disaster Recovery game is played with 12 Crisis Action cards (plus ACTION-13), 12 Event cards, and 5 Stakeholder cards. Track advances are deterministic — dice are used only for the optional Justification bonus and ACTION-13's "no guarantee" roll. See cards/disaster-recovery/ for the cards themselves and v2.2 Playtest Edition Changes at the bottom of this document for what changed.


Module Overview

The Disaster Recovery Module teaches crisis management and breach response when incident detection fails. This module is typically entered after losing an Incident Response module (representing an undetected or uncontained breach) but can also be played standalone to teach DR concepts.

This is not a "second chance" to solve the attack chain. Instead, it simulates the real-world consequences of a successful breach: - Crisis management under pressure - Stakeholder communication (board, customers, regulators) - Forensic investigation with limited budget - Public disclosure and legal requirements - Incident containment and damage assessment - Financial impact and recovery costs

Educational Purpose

Incident Response: Teaches proactive threat detection and investigation Hardening (typically after an IR win): Teaches proactive defense and resilience Disaster Recovery (typically after an IR loss): Teaches crisis management, consequences, and recovery


Components (v2.2)

Component Count Purpose
Crisis Action cards (ACTION-01 to ACTION-13) 13 The actions teams play each turn
Event cards (EVENT-01 to EVENT-12) 12 6 Scheduled + 6 Triggered pressure events
Stakeholder cards (STAKE-01 to STAKE-05) 5 Five trust meters (0-100%)
Progress tracks 3 Investigation %, Remediation %, Communication % (0-100%)
d20 1 Optional Justification bonus; ACTION-13 "no guarantee" roll
Track/trust sheets See print pack (coming) — a piece of paper works fine

Money mapping: 1 Budget ≈ $50K. All dollar figures (fines, ransoms) use this mapping unless marked narrative-only.


Entering the DR Phase

Prerequisites for DR Phase

Trigger: Team lost the Incident Response module by either: - Reaching Turn 10 with unrevealed cards remaining, OR - Running out of Budget (reaching 0)

Outcome: The attack chain proceeded undetected. The threat actor succeeded.

(Standalone play: skip Incident Response and start here — see the standalone guide.)

Discovery & Revelation

The Threat Orchestrator reveals the entire unrevealed attack chain to the Blue Team: - All hidden Threat cards are shown - The complete attack progression is explained - The attacker's objectives are stated

Example Revelation: "Your security team was unable to detect the attack in time. The attacker successfully: 1. Sent a phishing email (SOCIAL ENGINEERING) 2. Harvested credentials (CREDENTIAL ABUSE) 3. Moved laterally across your network (NETWORK) 4. Dumped admin credentials (CREDENTIAL ABUSE) 5. Exfiltrated your entire customer database (DATA EXFIL)

The attacker is now threatening to publish the data unless you pay $1M (20 Budget). You have 72 hours before regulators must be notified."


Setup (v2.2)

  1. Establish DR Budget:
  2. Starting DR Budget = 50 (flat crisis allocation — insurance, emergency funds)
  3. If entering from Incident Response: add any remaining IR budget (operational reserves)
  4. If an Audit was played earlier: subtract audit gap penalties (total capped at -30 — see module-audit-compliance.md)
  5. Budget floor is 0. Budget can never go negative; the free Holding Statement action is always available.

  6. Set the three progress tracks to 0%: Investigation, Remediation, Communication.

  7. Set the five stakeholder trust meters to their starting values: Customers 50%, Regulators 60%, Media 40%, Board 70%, Executives 80%. Meters clamp to 0-100%.

  8. Build the Event Timeline: place the 6 Scheduled events on their turns (EVENT-01 Turn 2, EVENT-04 Turn 3, EVENT-03 + EVENT-09 Turn 5, EVENT-02 Turn 6, EVENT-12 Turn 7). Lay the 6 Triggered events face-up where their conditions can be read.

  9. Ransom scenarios: note the ransom deadline (default: start of Turn 5) and put ACTION-13 where the team can see it.

  10. Reputation is NOT tracked during play. It is computed once, at game end (see Final Scoring). During play, the three tracks and five trust meters are the whole state.


The Crisis Clock (v2.2) — ONE clock

The game lasts 8 turns. Each turn is one crisis phase of ~6-12 hours of narrative time:

Turn Narrative Time Key Deadline
1 Detection +6h Internal discovery
2 +12h Internal legal/executive escalation complete (narrative; this was mislabeled a "regulatory deadline" in v2.1 — the regulatory anchor is GDPR 72h)
3 +18h Board Meeting (EVENT-04)
4 +24h Day 1 ends
5 +36h Customer notification recommended (ACTION-09); default ransom deadline (ACTION-13)
6 +48h Regulatory escalation begins (EVENT-02): -10 Regulator trust per un-notified turn
7 +60h Government subpoena (EVENT-12)
8 +72h GDPR 72-hour deadline: ACTION-10 must be complete. Game ends.

All deadlines on every card use this clock. There are no 12-hour, 24-hour, 30-day, or 60-day timers anymore; the former 30/60-day deadlines are deferred final-scoring consequences (see Final Scoring).

(Exception: EVENT-08 Second Breach extends play to Turn 10, once per game. Scoring deadlines do not move.)


Turn Sequence (v2.2)

Each turn:

1. START OF TURN - Complete any in-flight multi-turn action that finishes now (apply its track advance) - Reveal and resolve this turn's Scheduled event - Check all un-fired Triggered events; resolve any whose condition is met - Apply decay/deadline penalties (e.g., Customer decay, Regulator -10/turn from Turn 6 if un-notified)

2. TEAM ACTION (2-3 minutes discussion) - Play ONE Crisis Action card: pay its Budget cost, apply its track advance - Multi-turn actions (Duration N): the card occupies your action slot only on the turn started; its advance completes at the start of the Nth following turn. Only one multi-turn action in flight at a time. - Or take the free Holding Statement (0 Budget, +5% Communication; always available, counts as a Communication action for decay purposes) - Optional Justification bonus (v2.2): if the team gives a strong, specific technical justification for the action, the TO may allow a d20 roll — on 11+, that action's track advance gains +5%. This is the only d20 in track advancement, and it is a bonus, never a gate. - ACTION-13 (Ransom Decision) may be declared at any time before the ransom deadline; it does not use the action slot and happens once per game.

3. APPLY STAKEHOLDER EFFECTS - Apply the played action's trust effects (table below)

4. END OF TURN - Check the loss condition: any stakeholder trust at 0% = immediate loss ("the company collapses") - Advance the turn counter

Action → Trust Effects (v2.2 canonical table)

Action Trust effects when completed
ACTION-01 Forensic Analysis Regulators +10, Board +5
ACTION-02 Threat Hunting
ACTION-03 Log Analysis
ACTION-04 Third-Party IR Regulators +15, Board +15
ACTION-05 Patch & Harden Executives +5
ACTION-06 Containment Executives +5
ACTION-07 Rebuild from Backup Executives +5, Customers +5, Board +5
ACTION-08 Credential Reset Executives +5
ACTION-09 Customer Notification Customers +15, Media +5
ACTION-10 Regulatory Notification Regulators +20
ACTION-11 Media Management Media +20, Customers +10
ACTION-12 Board Communication Board +20, Executives +5
ACTION-13 Ransom Decision — (scoring effects only)
Holding Statement (free) — (stops Customer decay)

Where a Stakeholder card lists a range (e.g., "+2-5%"), this table is the single authoritative value (v2.2).


Deadlines (v2.2)

Deadline Turn If missed
Internal legal/executive escalation End of Turn 2 Narrative only
Customer notification (ACTION-09) End of Turn 5 (recommended) Customer trust -10 per later turn; EVENT-05 Class Action may trigger; never notified = -15 Reputation at final scoring
Ransom decision (ACTION-13) Start of Turn 5 (default; +2 turns if NEGOTIATE) Treated as REFUSE; data-publication event fires
Regulatory notification (ACTION-10) — GDPR 72h End of Turn 8 (escalating from Turn 6) Regulator trust -10 per turn from Turn 6 while un-notified; never notified = -20 Reputation at final scoring (deferred fine)

Ransomware & ACTION-13 (v2.2)

If the scenario includes a ransom/extortion demand, the team must resolve ACTION-13: Ransom Decision before the ransom deadline (default: start of Turn 5). Exactly one option, once per game:

Option Cost Reputation (at scoring) Effect
PAY 20 Budget (≈ $1M) -15 Data-publication event skipped/cancelled; +20% Remediation immediately. No guarantee: TO rolls d20 — on 1-5 the keys don't work: no refund, +0% Remediation (publication stays cancelled).
NEGOTIATE 5 Budget -5 Data-publication event delayed by 2 turns (default: to start of Turn 7).
REFUSE 0 Budget 0 (-20 if the data-publication event later triggers) No payment, no delay.

Data-publication event: if the team has not PAID by the (possibly delayed) deadline, the attacker publishes the stolen data: Customer trust -20, Media trust -15, plus the REFUSE scoring penalty if applicable.

Corrected facts (v2.2): payment may violate OFAC sanctions if the threat actor is sanctioned; many insurers restrict or exclude ransom coverage. The FBI discourages payment. Payment guarantees nothing.

Decision Framework for Teams: - Small company, limited budget: may pay (can't afford extended downtime) - Large company, security-conscious: often refuses (sets precedent, funds crime) - Critical infrastructure: may negotiate with government assistance - Regulated industry / sanctioned actor: payment may be legally impossible

Educational Purpose: the ethical and practical considerations of ransom decisions; no "right" answer — it depends on risk tolerance.


Financial Impact Tracking

Immediate Costs (paid from DR Budget, floor 0): - Crisis Action card costs (see the Crisis Action deck) - Event costs (subpoena legal fees, regulatory fine, lost revenue) - Ransom payment or negotiation (ACTION-13)

Deferred/Ongoing Costs (narrative-only; discuss in debrief): - Credit monitoring, legal costs, long-tail regulatory exposure, customer churn - Real-world scale: GDPR fines run up to €20M or 4% of global turnover, whichever is higher; total breach costs typically run to millions

The scoring system captures deferred consequences as Reputation penalties (below) rather than as a parallel money ledger.


Final Scoring (v2.2): Computing Reputation

Reputation is computed once, at game end. The three tracks and five trust meters drive play; Reputation (0-100) is the outcome measure.

FINAL REPUTATION = 100, then apply:

1. TRACK RESULTS (per track: Investigation, Remediation, Communication)
   50-100%  ->  -0
   25-49%   ->  -5
   10-24%   ->  -10
   0-9%     ->  -20

2. STAKEHOLDER TRUST (average of the five meters at game end)
   70%+     ->  +5
   50-69%   ->  0
   30-49%   ->  -10
   below 30 ->  -20

3. DECISION & EVENT MODIFIERS (each applies at most once)
   +5   Customers notified transparently by end of Turn 5 (ACTION-09)
   +3   per completed quality investigation (ACTION-01 or ACTION-04),
        MAX +6 total per game
   -5   ACTION-13 NEGOTIATE          (only one ACTION-13
   -15  ACTION-13 PAY                 modifier can apply)
   -20  ACTION-13 REFUSE and data was published
   -10  EVENT-05 Class Action triggered
   -10  EVENT-06 Regulatory Fine triggered
   -10  EVENT-08 Second Breach triggered
   -15  Customers never notified in-game (deferred statutory violation)
   -20  Regulators never notified in-game (deferred GDPR fine)

4. CLAMP the result to 0-100.

Outcome Tiers (v2.2 — the ONE tier table, identical in the standalone guide)

Final Reputation Outcome Interpretation
85-100 Exemplary Crisis well-managed; stakeholder trust preserved; the organization recovers
70-84 Managed Adequate response; some damage; recovery likely
55-69 Damaged Poor response; significant customer loss; regulatory scrutiny; recovery uncertain
40-54 Mismanaged Major reputational/financial damage; leadership changes likely
Below 40 Catastrophic Company survival in question; CEO likely replaced

Loss Conditions (v2.2 — ONE authoritative list, in precedence order)

  1. Any stakeholder trust meter at 0% at any point = immediate loss. "The company collapses." Nothing else matters.
  2. Otherwise, the game ends after Turn 8 (Turn 10 if EVENT-08 fired) and the outcome is the tier table above.

Below 20% trust is a CRITICAL warning state only — it triggers escalation events but is never itself a loss. The old "<30% trust = loss" rule is removed.

Optional Difficulty Variant: Scope-Scaled Start

Default: the Reputation computation starts at 100 for every game. As a clearly-labelled optional difficulty variant, start the computation lower for bigger breaches:

Scope Records Start computation at
Small (Beginner) ~50K 100 (default)
Medium (Intermediate) ~500K 90
Large (Advanced) 5M+ 80

Worked Example (v2.2, recomputed)

Scenario: "The Ransomware Nightmare" — customer database encrypted and exfiltrated (500K records), ransom demand $1M (20 Budget), publication threatened. Standalone play, default difficulty. Budget 50.

Turn Action (cost) Tracks Events & trust
1 ACTION-02 Threat Hunting (8); justification roll 14 → +5% Inv 20
2 ACTION-06 Containment (8) Rem 15 EVENT-01: no media action yet → Media 40→30. Exec +5 → 85
3 ACTION-10 Notify Regulators (8); declare ACTION-13 NEGOTIATE (5) Comm 10 Customer decay (no Communication action completed yet at start of turn): Customers 50→40. Regulators 60→80. EVENT-04 unprepared (no ACTION-12) → Board 70→50. Publication delayed to start of Turn 7
4 ACTION-05 Patch & Harden (10) Rem 35 No more decay (ACTION-10 completed). Exec +5 → 90
5 ACTION-09 Customer Notification (10) Comm 30 Customers 40→55, Media 30→35. EVENT-03 passed → +5 Rep at scoring. (Private company: skip EVENT-09)
6 Holding Statement (0) Comm 35 EVENT-02: already notified → Regulators +5 → 85. EVENT-08 check: Rem 35 ≥ 30 → does not fire
7 Holding Statement (0) Comm 40 Data published (unpaid): Customers 55→35, Media 35→20. EVENT-12: Exec 90→80, Budget 1→0, Inv +5% → 25
8 Holding Statement (0) Comm 45 Media at 20 (not below 20) → EVENT-07 does not fire. Game ends

Budget spent: 8+8+8+5+10+10 = 49 of 50 (then -5 subpoena fees, floored at 0).

Final state: Tracks: Inv 25, Rem 35, Comm 45. Trust: Customers 35, Regulators 85, Media 20, Board 50, Executives 80 → average 54.

Scoring: - Tracks: Inv 25 (-5), Rem 35 (-5), Comm 45 (-5) → -15 - Trust average 54 → 0 - Modifiers: +5 (transparent customer notification by Turn 5), -5 (NEGOTIATE) → 0 - Final Reputation: 100 - 15 = 85 → Exemplary (barely!)

Lessons visible in the example: the team skipped board prep (Board Meeting hurt), never bought media management (publication nearly triggered a frenzy at Media 20), and threading the ransom deadline with NEGOTIATE bought exactly enough time to notify everyone first. One different choice and this is a 70s game.

Mandatory-path check (v2.2): the cheapest mandatory beats — investigate (ACTION-03: 5), notify regulators (ACTION-10: 8), notify customers (ACTION-09: 10), remediate (ACTION-08: 6) — cost 29 Budget. A stronger path (ACTION-02 + ACTION-10 + ACTION-09 + ACTION-05 + ACTION-06) costs 44. Both fit a 50-Budget team with room for events.


Sample Disaster Recovery Scenarios (v2.2 card sequences)

Scenario: "The Ransomware Nightmare"

See the worked example above. Key tension: ransom decision vs. notification deadlines.

Scenario: "The Insider Data Theft"

Attack chain revealed: disgruntled employee → lateral movement → Mimikatz → insider data theft. Data already for sale on dark web (no ransom demand — skip ACTION-13).

Suggested line of play (Budget 50-60): 1. Turn 1: ACTION-03 Log Analysis (5) — establish the insider's access timeline 2. Turn 2: ACTION-01 Forensic Analysis (12, Duration 2) — evidence for HR/legal/prosecution 3. Turn 3: ACTION-10 Regulatory/Law-Enforcement Notification (8) — FBI referral 4. Turn 4: (forensics completes: +25% Inv, +3 at scoring) ACTION-08 Credential Reset (6) 5. Turn 5: ACTION-09 Customer Notification (10) — transparent disclosure 6. Turn 6-8: ACTION-06 Containment (8), then Holding Statements

Teaching point: insider threats hit Executive and Board trust hardest; internal communication matters as much as external.

Scenario: "The Supply Chain Compromise"

Attack chain revealed: compromised vendor update → lateral movement → cloud API token theft → DNS tunneling exfiltration → persistent C2.

Teaching point: teams quickly realize they cannot finish remediation by Turn 8 — ACTION-07 rebuilds and ACTION-04 third-party IR eat the clock and the budget. That is the lesson: some incidents transition to months-long response. Expect a "Damaged"-tier result even from good play, and debrief why (complex incidents score lower on the same rubric).


DR Phase Outcomes & Debrief

Mandatory Lessons Learned Debrief (20 minutes)

After DR Phase completion, run a structured debrief:

Part 1: Attack Analysis (5 minutes)

  1. What was the initial compromise vector? Why did defenses fail?
  2. How far did the attacker progress? What could have stopped them?
  3. What was the attacker's objective? (Data theft? Ransomware? Persistence?)

Part 2: Detection Failures (5 minutes)

  1. Why wasn't this detected during Incident Response? What signs did we miss?
  2. What defense would have caught this attack?
  3. What monitoring/logging was inadequate?

Part 3: Response Evaluation (5 minutes)

  1. Was the forensic investigation adequate? What gaps remained?
  2. Did we communicate effectively with stakeholders? What went wrong?
  3. Was remediation thorough enough to prevent re-breach? (Did EVENT-08 fire?)

Part 4: Prevention for Next Time (5 minutes)

  1. What one thing would you deploy first if you replayed?
  2. How would you prioritize defenses differently?
  3. What process improvements would help next time?

Comparison: Hardening vs. Disaster Recovery (the two post-IR paths)

Win Incident Response → Hardening

Lose Incident Response → Disaster Recovery


Integration with Base Game: Full Game Flow

Option 1: Standalone Play (Single Path)

Option 2: Full Campaign (Both Paths)

Option 3: Tournament Mode


Teaching Notes for DR Phase

Key Learning Objectives

Incident Response Skills: - Prioritize crisis response actions under pressure - Coordinate across teams and stakeholders - Make decisions with incomplete information - Understand forensic investigation requirements

Business Impact Understanding: - Recognize financial costs of breaches (not just immediate costs) - Understand regulatory & legal consequences - Learn about reputational damage and customer churn - Recognize insurance and recovery programs

Stakeholder Management: - Communicate effectively with diverse audiences (customers, regulators, media) - Balance transparency with liability reduction - Manage expectations during crisis - Follow regulatory notification requirements (the GDPR 72-hour anchor)

Long-term Recovery: - Incident doesn't end when systems are "fixed" - Organizational recovery takes months/years - Prevention is far cheaper than response - Importance of pre-incident preparation

Discussion Questions After DR Phase

For Teams That Had Better Detection (Lost Incident Response by Turn 9-10): - "If you'd detected the attack one turn earlier, what would have changed?" - "What one additional control would have triggered detection?" - "How does dwell time (time from compromise to detection) affect these costs?"

For Teams That Lost Quickly (Out of budget by Turn 5-6): - "Why did your investigation fail so quickly?" - "Which budget-saving action actually cost you more in the long run?" - "What would aggressive early investigation have prevented?"

For All Teams: - "How much did this incident actually cost (total financial + reputational)?" - "If detection during Incident Response saves 80% of these costs, what should you invest in detection?" - "How would a pre-prepared incident response plan have helped?" - "What's the value of having a Disaster Recovery plan before you need it?"

Real-World Context for DR Phase

Average Breach Costs (2023 data; narrative-only): - Detection Time (Dwell Time): 206 days average - Cost per Compromised Record: $4.50 (varies by industry) - Total Average Cost: $4.5M (for 1M records) - Cost Breakdown: Detection & Analysis 25%, Containment & Eradication 20%, Recovery & Restoration 20%, Legal & Regulatory 15%, PR & Communications 10%, Customer Notifications 10%

Common Mistakes in Real Incidents: - Poor forensic planning → Extended investigation costs - Late customer notification → Regulatory fines + brand damage - Inadequate remediation → Re-compromise (in-game: EVENT-08) - Ransom payment → Funds future attacks; doesn't guarantee data deletion - No incident plan → Chaos and poor decisions

Success Factors in Real Incidents: - Pre-incident planning and training - Clear communication protocols - Rapid forensic investigation - Transparent customer communication - Thorough remediation - Post-incident review and improvements


Variants & Extensions

Variant: "Instant Replay" Recovery

If a team scores 85+ (Exemplary), they can attempt a post-game Recovery Analysis: spend 5 remaining Budget for a deep forensic review, identify the systemic failure that allowed the Incident Response loss, and describe the detection investment that would have caught it. Models "turning crisis into opportunity."

Variant: "Ongoing Breach" (Extended Campaign)

Disaster Recovery doesn't necessarily end the incident: Week 2 threat hunting discovers a backdoor still active; Week 4 the attacker tries again; Week 8 a new variant appears. Replay DR with the Second Breach event pre-armed. Teams learn that some breaches have long tails.

Variant: "Insurance & Legal" Module

Add negotiation flavor at debrief: Did the insurer cover this incident? (Many policies restrict or exclude ransom coverage.) How much forensic evidence was preserved for lawsuits? Could you have negotiated the regulatory settlement?


Final Thought: Why This Matters

Incident Response teaches: "Catch attacks early" Hardening (after a win) teaches: "Prevent future attacks" Disaster Recovery (after a loss) teaches: "Plan for what you'll miss"

Together, they create a complete incident response curriculum: 1. Detection & Investigation (Incident Response) 2. Hardening & Prevention (Hardening — win path) 3. Crisis Management & Recovery (Disaster Recovery — loss path)

Students learn that even with perfect security, breaches can happen. The question isn't "Will we be attacked?" but "When we're attacked, will we respond effectively?"


v2.2 Playtest Edition Changes

  1. Card system is canonical. The freeform Actions A-E from v2.1 are replaced by the 13 Crisis Action cards; track advances are deterministic (no success/failure rolls). The optional Justification d20 (11+ → +5%) is the only roll in track advancement; ACTION-13's "no guarantee" roll is the only other die.
  2. One clock: 8 turns, ~6-12 narrative hours each, Turn 1 ≈ detection +6h to Turn 8 ≈ 72h (fixes the v2.1 7×6h = 42h vs. "48 hours" arithmetic). GDPR 72-hour regulatory notification = ACTION-10 by end of Turn 8, escalating penalties (-10 Regulator trust/turn) from Turn 6. Customer notification recommended by Turn 5. The v2.1 "12-hour regulatory deadline" is relabeled as internal legal/executive escalation. The 30-day/60-day event deadlines are re-expressed as deferred final-scoring penalties (-20 / -15 Reputation).
  3. Reputation reconciled with the percent tracks: the three tracks + five trust meters drive play; final Reputation (0-100) is computed once at game end (start 100; track tiers, trust average, decision/event modifiers; clamp 0-100). One outcome tier table (85/70/55/40), identical here and in the standalone guide.
  4. Single values for former contradictions: negotiation reputation effect -5; late-regulator penalty -10/turn; transparent-notification bonus +5; starting reputation flat 100 (scope-scaled 90/80 is an optional difficulty variant); turn count 8.
  5. Event deck procedure: 12 events split into 6 Scheduled (placed on the timeline at setup) + 6 Triggered (fire once when their condition is met). EVENT-08's "additional 7-turn cycle" is now "+2 turns, once per game."
  6. Multi-turn actions defined once: Duration N occupies the action slot only on the start turn; the advance completes at the start of the Nth following turn; one in-flight multi-turn action at a time. ACTION-04's "runs alongside other actions" text was aligned to this rule.
  7. ACTION-13 Ransom Decision added (Pay 20 / Negotiate 5 / Refuse 0, with the exact effects above) — this is the "Negotiation Team" card promised in v2.1.
  8. Bounds & loss: Budget floor 0 (free Holding Statement always available); trust meters and Reputation clamp 0-100; one loss list — any trust meter at 0% = immediate loss, otherwise the tier table. "<30% = loss" removed; "<20%" is a critical warning state only.
  9. Money mapping: 1 Budget ≈ $50K; remaining dollar figures are narrative-only.
  10. Fact corrections: OFAC/insurance wording for ransom payment; GDPR fine = €20M or 4% of global turnover, whichever is HIGHER; California/CCPA "without unreasonable delay" + statutory damages; turnover-scale fines attributed to GDPR-style regimes (not the FTC).
  11. Balance: forensic-quality Reputation bonus capped at +6 per game; mandatory-path cost verified at 29-44 Budget against the 50 starting budget.

Disaster Recovery Phase for Incident Zero For teams that experience the cost of failed detection Emphasizing that response quality matters as much as prevention

docs/standalone-games/disaster-recovery.md

Disaster Recovery Module: Standalone Play Guide

Version: 2.2 - Playtest Edition Duration: 30-45 minutes Players: 1 Threat Orchestrator + 2-4 Blue Team members Best For: Crisis management training, incident response procedures, stakeholder communication

v2.2: the card system is canonical. You play the 13 Crisis Action cards against the 12 Event cards while managing 5 Stakeholder trust meters, over one 8-turn clock. Track advances are deterministic; dice appear only in the optional Justification bonus and ACTION-13's "no guarantee" roll. This guide uses the exact same rules, numbers, and tier table as docs/rules/module-disaster-recovery.md.


Module Overview

The Disaster Recovery Module teaches players how to manage a real breach — investigation, remediation, stakeholder communication, and the ransom decision — under extreme time and budget pressure.

Players balance three progress tracks (Investigation %, Remediation %, Communication %) and five stakeholder trust meters while an event timeline turns up the heat. At the end, a single Reputation score (0-100) is computed from what they achieved.


What You Need

From cards/disaster-recovery/: - 13 Crisis Action cards (ACTION-01 to ACTION-13) - 12 Event cards (6 Scheduled + 6 Triggered) - 5 Stakeholder cards (trust meters) - A d20, and paper for the tracks/trust/budget (tracker sheets: see print pack, coming)

Money mapping: 1 Budget ≈ $50K.


Setup (5 minutes)

1. Set the Crisis Scenario

The breach has already succeeded. The Threat Orchestrator reveals the full attack chain:

"Your organization has experienced a significant data breach. Here's what happened:

Attack Chain: 1. Phishing Campaign → Employee clicked malicious link 2. Credential Harvesting → Login credentials captured 3. VPN Access → Attacker gained network access 4. Lateral Movement → Access to production servers 5. Database Exfiltration → 500,000+ customer records stolen

Current Status: - Breach detected; the crisis clock starts now - Attacker demanding $1M ransom (= 20 Budget) or they publish the data - Media starting to ask questions - You have 8 turns (72 narrative hours) to respond

Your Challenge: Investigate the breach, remediate it, and communicate with stakeholders — before the deadlines land."

2. Blue Team Setup

3. Build the Event Timeline (place on table)

Turn Time Scheduled Event / Deadline
1 +6h Internal discovery
2 +12h EVENT-01 First Media Coverage; internal legal/executive escalation complete (narrative)
3 +18h EVENT-04 Board Meeting
4 +24h
5 +36h EVENT-03 Customer Notification Window (ACTION-09 recommended by end of this turn); EVENT-09 Shareholder Pressure (public companies); default ransom deadline (ACTION-13)
6 +48h EVENT-02 Regulatory 72h Deadline — escalation begins (-10 Regulator trust per un-notified turn)
7 +60h EVENT-12 Government Subpoena (medium/large breaches)
8 +72h GDPR 72-hour deadline: ACTION-10 must be complete. Game ends.

Lay the 6 Triggered events (EVENT-05, -06, -07, -08, -10, -11) face-up where their trigger conditions can be read. Each fires once, when its condition is met.

4. Optional Difficulty Variant: Scope-Scaled Start (clearly optional)

Default: the final Reputation computation starts at 100. For harder games:

Scope Records Start computation at
Small (Beginner) ~50K 100 (default)
Medium (Intermediate) ~500K 90
Large (Advanced) 5M+ 80

Gameplay Loop (25-35 minutes)

Turn Sequence

1. START OF TURN - Complete any in-flight multi-turn action that finishes now (apply its track advance) - Resolve this turn's Scheduled event; check all un-fired Triggered events - Apply decay/deadline penalties (Customer decay from Turn 3 if no communication yet; Regulator -10/turn from Turn 6 if un-notified) - Announce remaining Budget, tracks, and trust meters

2. BLUE TEAM'S TURN (2-3 minutes discussion) - Play ONE Crisis Action card: pay its cost, apply its track advance — or take the free Holding Statement (0 Budget, +5% Communication) - Multi-turn actions (Duration N): occupy the action slot only on the turn started; the advance completes at the start of the Nth following turn; one in flight at a time - Justification bonus (optional): strong, specific technical justification → roll d20; on 11+ that action's advance gains +5% - ACTION-13 Ransom Decision may be declared at any time before the ransom deadline; it does not use the action slot (once per game)

3. APPLY STAKEHOLDER EFFECTS - Apply the action's trust effects (table below)

4. END OF TURN - Any stakeholder trust at 0% = immediate loss ("the company collapses") - Advance the turn counter; the game ends after Turn 8 (Turn 10 if EVENT-08 fired)

Crisis Action Quick Reference (identical to the cards)

Card Category Cost Advance Duration Trust effects
ACTION-01 Forensic Analysis Investigation 12 +25% Inv 2 turns Regulators +10, Board +5
ACTION-02 Threat Hunting Investigation 8 +15% Inv 1 turn
ACTION-03 Log Analysis Investigation 5 +10% Inv 1 turn
ACTION-04 Third-Party IR Investigation 20 +30% Inv, +20% Rem 3 turns Regulators +15, Board +15
ACTION-05 Patch & Harden Remediation 10 +20% Rem 1 turn Executives +5
ACTION-06 Containment Remediation 8 +15% Rem 1 turn Executives +5
ACTION-07 Rebuild from Backup Remediation 15 +25% Rem 2 turns Exec +5, Cust +5, Board +5
ACTION-08 Credential Reset Remediation 6 +12% Rem 1 turn Executives +5
ACTION-09 Customer Notification Communication 10 +20% Comm 1 turn Customers +15, Media +5
ACTION-10 Regulatory Notification Communication 8 +10% Comm 1 turn Regulators +20
ACTION-11 Media Management Communication 12 +15% Comm 1 turn Media +20, Customers +10
ACTION-12 Board Communication Communication 9 +12% Comm 1 turn Board +20, Executives +5
ACTION-13 Ransom Decision Crisis Decision 0/5/20 Pay: +20% Rem Instant — (scoring only)
Holding Statement (free rule) Communication 0 +5% Comm 1 turn — (stops Customer decay)

The Ransom Decision (ACTION-13)

Declare before the ransom deadline (default: start of Turn 5). One option, once per game:

Data-publication event: if the team has not PAID by the (possibly delayed) deadline: Customer trust -20, Media trust -15, plus the REFUSE penalty if applicable.

Facts: payment may violate OFAC sanctions if the actor is sanctioned; many insurers restrict or exclude ransom coverage; the FBI discourages payment; payment guarantees nothing.


Deadline Management (the only clock)


Scoring & Final Reputation (identical to the module rules)

At game end, compute Reputation:

FINAL REPUTATION = 100 (or 90/80 with the scope variant), then apply:

1. TRACK RESULTS (per track: Investigation, Remediation, Communication)
   50-100% -> -0    |  25-49% -> -5   |  10-24% -> -10  |  0-9% -> -20

2. STAKEHOLDER TRUST (average of the five meters)
   70%+ -> +5  |  50-69% -> 0  |  30-49% -> -10  |  below 30% -> -20

3. DECISION & EVENT MODIFIERS (each at most once)
   +5   Customers notified transparently by end of Turn 5
   +3   per quality investigation completed (ACTION-01 or ACTION-04), MAX +6 per game
   -5 / -15 / -20   ACTION-13: Negotiate / Pay / Refuse-and-published
   -10  each: EVENT-05 Class Action, EVENT-06 Regulatory Fine, EVENT-08 Second Breach
   -15  customers never notified in-game
   -20  regulators never notified in-game

4. CLAMP to 0-100.

Worked example: see the module rules (docs/rules/module-disaster-recovery.md) — a 50-Budget team runs ACTION-02, -06, -10, NEGOTIATE, -05, -09 plus Holding Statements and finishes Inv 25 / Rem 35 / Comm 45, trust average 54 → Reputation 85.

Outcome Tiers (v2.2 — the ONE tier table)

Final Reputation Outcome Interpretation
85-100 Exemplary Crisis well-managed; stakeholder trust preserved; the organization recovers
70-84 Managed Adequate response; some damage; recovery likely
55-69 Damaged Poor response; significant customer loss; regulatory scrutiny; recovery uncertain
40-54 Mismanaged Major reputational/financial damage; leadership changes likely
Below 40 Catastrophic Company survival in question; CEO likely replaced

Loss precedence: (1) any stakeholder trust at 0% at any point = immediate loss; (2) otherwise, the tier table above. Below-20% trust is a critical warning state only.


Debrief & Reflection (5-10 minutes)

PART 1: INVESTIGATION QUALITY (2 min) 1. "Did you investigate adequately? What's the total impact?" 2. "What important information did you miss?" 3. "Would better forensics have changed your decisions?"

PART 2: COMMUNICATION STRATEGY (2 min) 1. "How did you prioritize stakeholder notifications?" 2. "What would you communicate differently?" 3. "Did transparency help or hurt your reputation?"

PART 3: FINANCIAL DECISIONS (2 min) 1. "Did you pay the ransom? Why or why not?" 2. "What was your total incident cost (Budget spent × $50K, plus deferred penalties)?" 3. "Would different decisions have saved money?"

PART 4: RESPONSE QUALITY (2 min) 1. "If you replayed, what would you do first?" 2. "Which stakeholder relationship was hardest to preserve?" 3. "What was your biggest crisis decision?"

PART 5: REAL-WORLD CONNECTION (2 min) 1. "Compare your spending to actual breaches (Target, Equifax, etc.)" 2. "What's harder: prevention or response?" 3. "Why is it so expensive to manage a real breach?"


Tips for Threat Orchestrators

Breach Scenario Variations

Small Breach (Beginner) — 50,000 records, opportunistic attacker, no subpoena (skip EVENT-12), total real-world loss ~$1-5M (narrative).

Medium Breach (Intermediate) — 500,000 records, ransom-seeking criminal group, full event timeline, total loss ~$5-50M (narrative).

Large Breach (Advanced) — 5M+ records, sophisticated attacker, use the scope variant (start computation at 80), total loss ~$50M+ (narrative).

Pressure Escalation

Decision Consequences


Sample Scenarios to Try

Scenario 1: "Credential Breach" (Small, Beginner)

Scope: 50,000 customer passwords exposed. Attacker: opportunistic; ransom demand small — try REFUSE and manage the fallout. Budget: 50. Focus: communicating bad news without panic. Lesson: even small breaches require careful stakeholder management.

Scenario 2: "Supply Chain Breach" (Medium, Intermediate)

Scope: 500,000 records via a compromised vendor. Budget: 50 (+ any carried over from prior modules). Focus: ACTION-04 Third-Party IR shines here; multi-stakeholder communication. Lesson: vendor relationships complicate crisis response.

Scenario 3: "Nation-State Attack" (Large, Advanced)

Scope: 5M+ records; attacker won't negotiate (ACTION-13 offers REFUSE only). Use the scope variant (start at 80). Focus: damage control; accept a "Damaged" tier as a good result. Lesson: some breaches are unwinnable; response quality still matters.


Extensions & Variations

Extended Crisis Mode (60 minutes)

Litigation Track

Competitive Breach Response


Next Steps After This Module

If you scored 70+ (Managed or better): - Continue to Audit & Compliance Module → validate response procedures post-breach - Transition to Hardening Module → prevent similar breaches

If you scored below 70: - Discuss what went wrong - Replay the scenario with different decisions - Study real breach case studies (Target, Equifax, SolarWinds)

Standalone: play again with a different breach type or attacker profile


Need Help?


Disaster Recovery Module - Standalone Play Guide Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/disaster-recovery/core-deck/crisis-action-cards.md

Disaster Recovery Module: Crisis Action Cards

Version: 2.2 - Playtest Edition Last Updated: October 2025


Overview

Crisis Action Cards represent the specific actions an organization can take during a breach to investigate, remediate, and respond. Teams deploy ONE Crisis Action each turn to advance three objectives: Investigation %, Remediation %, and Communication % (each tracked 0-100%). Track advances are deterministic — no dice are required to advance a track.

Money mapping: 1 Budget ≈ $50K. Dollar figures on cards (fines, ransom) use this mapping unless marked narrative-only.


Crisis Action Card Organization

Action Categories

Crisis Actions are organized into three categories, plus one decision card:

  1. Investigation Actions (4 cards)
  2. Advance understanding of breach
  3. Determine scope and impact
  4. Gather evidence for forensics
  5. Enable faster containment

  6. Remediation Actions (4 cards)

  7. Fix vulnerability that was exploited
  8. Contain compromised systems
  9. Recover from backup
  10. Rebuild infrastructure

  11. Communication Actions (4 cards)

  12. Notify stakeholders
  13. Manage media/public relations
  14. Report to regulators
  15. Maintain customer trust

  16. Crisis Decision (1 card)

  17. ACTION-13: Ransom Decision (Pay / Negotiate / Refuse)

Multi-Turn Actions (v2.2)

Some actions list Duration N (N greater than 1). The rule, defined once:

Duration N: the action occupies your action slot only on the turn it is started; its track advance completes and is applied at the start of the Nth following turn. Only one multi-turn action may be in flight at a time. While it is in flight, you may take single-turn actions on later turns, but you may not start another multi-turn action.

Example: ACTION-01 (Duration 2) started on Turn 2 applies its +25% Investigation at the start of Turn 4.

Justification Bonus (v2.2) — optional

The signature d20 stays as an optional bonus only (it never gates track advancement): when a team plays an Action card with a strong, specific technical justification, the Threat Orchestrator may allow a d20 roll. On 11+, that action's track advance gains +5%. One roll per action card played.

Free Action: Holding Statement (v2.2)

This is a standing rule, not a numbered card. On any turn, instead of playing an Action card, the team may issue a Holding Statement (internal update / brief public status statement):


Investigation Actions

ACTION-01: Forensic Analysis

Category: Investigation Cost: 12 Budget Investigation Advance: +25% Duration: 2 turns (multi-turn action)

Description: Forensic experts analyze compromised systems to determine: - What data was accessed - What was exfiltrated - How long attacker had access - What attack techniques were used - Evidence for legal proceedings

Key Details: - Requires shutting down compromised system (removes it from operation) - Requires forensics team (may need external consultants) - Takes time (2 turns minimum) - Provides detailed evidence - Essential for legal action and regulatory compliance

When to Use: - Need definitive answer about breach scope - Legal action is likely - Compliance investigation required - Regulatory agency involved

Risk if Not Done: - Cannot determine full extent of damage - Cannot properly remediate (may miss persistence) - No evidence for law enforcement - Regulatory penalties for inadequate investigation

Regulatory Impact: - Most breach notification laws require "reasonable investigation" - Forensics evidence may be required for regulatory compliance - Better investigation = stronger regulatory defense

Team Trade-off: - Expensive (12 Budget) - Takes time (2 turns) - But provides high investigation % - Provides evidence for future action


ACTION-02: Threat Hunting

Category: Investigation Cost: 8 Budget Investigation Advance: +15% Duration: 1 turn

Description: Security team proactively searches logs and systems for: - Other compromised systems - Lateral movement indicators - Persistence mechanisms - Command & Control communication - Evidence of data staging

Key Details: - Requires SIEM with good logging (if available) - Team searches for attack indicators - Can discover secondary compromises - Lower cost than forensics but less detailed - Faster than forensics (1 turn)

When to Use: - Need to know if compromise spread - Want to find hidden persistence - Time is critical (forensics takes 2 turns) - Budget is constrained

Risk if Not Done: - May not discover all compromised systems - Attacker may maintain hidden access - May lose evidence over time (logs rotate) - Compliance investigation may be incomplete

Regulatory Impact: - Shows good faith investigation effort - Supports "reasonable investigation" standard - Evidence of proactive security posture

Team Trade-off: - Cheaper than forensics (8 Budget) - Faster (1 turn vs. 2) - Less detailed evidence - Good balance of cost/time/effectiveness


ACTION-03: Log Analysis

Category: Investigation Cost: 5 Budget Investigation Advance: +10% Duration: 1 turn

Description: Security team reviews available logs (firewall, VPN, Windows Event Log, application logs) to understand: - When breach was discovered - What access was gained - What systems were accessed - What data might have been accessed - Timeline of attack

Key Details: - Requires logs (must have been collecting logs) - Basic analysis of existing logs - Cheapest investigation action - Quick (1 turn) - Limited by log retention/quality - Can be done internally (no external consultants)

When to Use: - Budget is extremely tight - Need quick preliminary understanding - Good logging infrastructure in place - Time is critical

Risk if Not Done: - No understanding of what happened - Cannot determine scope or impact - Regulatory agencies upset about lack of investigation - Potential for incomplete response

Regulatory Impact: - Minimal investigation (may not satisfy "reasonable investigation") - Shows attempt at investigation - Not sufficient as sole investigation method

Team Trade-off: - Cheapest investigation (5 Budget) - Fastest (1 turn) - Limited effectiveness - Often insufficient alone


ACTION-04: Third-Party Incident Response Engagement

Category: Investigation (+ Remediation) Cost: 20 Budget Investigation Advance: +30% (+ Remediation +20%) Duration: 3 turns (ongoing engagement)

Description: Bring in external incident response firm (forensics, incident handling, remediation specialists). They conduct: - Comprehensive forensic investigation - Breach scope determination - Remediation recommendations - Expert testimony for legal proceedings - Regulatory coordination

Key Details: - Very expensive (20 Budget) - Takes significant time to mobilize - Provides expert guidance and credibility - Provides evidence acceptable in court - Supports regulatory defense - Multi-turn (Duration 3): occupies your action slot only on the turn started; see Multi-Turn Actions rule

When to Use: - Major breach with legal implications - Need expert investigation for court - Regulatory agency demands expertise - Internal team cannot handle scope - Liability is significant

Benefits: - Expert investigation (higher quality) - Evidence for prosecution - Regulatory/legal credibility - Expert testimony available - Ongoing support (3 turns)

Risk if Not Done: - Without external expertise, breach response may be insufficient - Legal case may fail (poor evidence) - Regulatory penalties for inadequate investigation - May miss critical evidence

Regulatory Impact: - High credibility with regulators - Better legal defense - Shows serious investigation effort - External experts satisfy "reasonable investigation"

Team Trade-off: - Most expensive (20 Budget) - Long commitment (Duration 3 — advances apply at the start of the 3rd following turn) - But provides significant investigation + remediation - Provides external expertise and credibility - While in flight you may take single-turn actions, but no other multi-turn action (v2.2 Multi-Turn rule)


Remediation Actions

ACTION-05: Patch & Harden (Affected Systems)

Category: Remediation Cost: 10 Budget Remediation Advance: +20% Duration: 1 turn

Description: Apply patches to the vulnerability that was exploited: - Install OS patches (if vulnerability is OS-level) - Update application (if vulnerability is app-level) - Change default credentials - Remove backdoor accounts - Harden network configuration

Key Details: - Targets the specific vulnerability that was exploited - Must know what vulnerability was exploited (requires investigation) - Can be done on specific systems or organization-wide - Prevents same attack from succeeding again - Does NOT remove attacker if already inside

When to Use: - Know what vulnerability was exploited - Want to prevent re-exploitation - Can apply patch without affecting business - Quick remediation needed

Risk if Not Done: - Attacker can re-exploit same vulnerability - Breach scope may grow - Regulatory agency upset about lack of remediation - Risk of breach happening again

Regulatory Impact: - Shows timely remediation - Prevents recurrence - Good compliance posture - Regulatory agencies expect patching

Team Trade-off: - Moderate cost (10 Budget) - Quick (1 turn) - Fixes vulnerability - But only prevents re-exploitation, doesn't remove attacker


ACTION-06: Containment (Isolate Compromised Systems)

Category: Remediation Cost: 8 Budget Remediation Advance: +15% Duration: 1 turn

Description: Remove compromised systems from network to: - Stop attacker from using compromised system for lateral movement - Prevent attacker from exfiltrating more data - Preserve compromised system for forensics - Limit blast radius of compromise

Key Details: - Disconnect compromised system from network (kill network) - System is still available for forensics - Stops active attacker in that system - Does NOT affect attacker if they're in other systems - May impact business (systems are unavailable)

When to Use: - Know which systems are compromised - Want to stop active attacker - Can tolerate system downtime - Attacker is still actively in system

Risk if Not Done: - Attacker continues using compromised system - Lateral movement continues - More data exfiltration - Attacker may install additional backdoors

Regulatory Impact: - Shows swift containment action - Demonstrates incident response - Limits liability (stopped attacker) - Good compliance posture

Team Trade-off: - Moderate cost (8 Budget) - Quick (1 turn) - Stops active attacker - But impacts business operations


ACTION-07: System Rebuild/Recovery from Backup

Category: Remediation Cost: 15 Budget Remediation Advance: +25% Duration: 2 turns (restore + verification)

Description: Rebuild compromised systems from backup: - Restore system from clean backup (pre-compromise) - Apply patches to prevent re-exploitation - Restore only clean data - Verify system is clean before returning to production - Monitor restored system for attacker re-entry

Key Details: - Requires backup of system (must exist and be clean) - Takes time to restore (2 turns minimum) - Removes all attacker artifacts - Ensures system is truly clean - Most reliable remediation method - Dependent on backup quality/testing

When to Use: - Backup exists and is verified clean - System compromise is extensive - Want to ensure complete attacker removal - Business can tolerate 2-turn rebuild

Risk if Not Done: - Attacker may maintain persistence (if system not rebuilt) - Restore from backup with attacker in it = no improvement - Compliance may require clean rebuild

Regulatory Impact: - Shows complete remediation - Demonstrates thorough approach - Better regulatory outcome - Shows commitment to clean recovery

Team Trade-off: - Higher cost (15 Budget) - Takes time (2 turns) - But provides complete remediation - Most reliable method


ACTION-08: Change Credentials & Access Controls

Category: Remediation Cost: 6 Budget Remediation Advance: +12% Duration: 1 turn

Description: Revoke and reset all potentially compromised credentials: - Reset passwords for all accounts that touched compromised system - Revoke tokens/API keys - Reset VPN credentials - Update database passwords - Revoke certificates/SSH keys

Key Details: - Prevents attacker from using stolen credentials - Must do if credentials were compromised (stolen by Mimikatz, etc.) - Can cause business disruption (users locked out) - Quick and important - Often overlooked but critical

When to Use: - Credentials were likely compromised - Attacker had access to credential stores - Need to prevent attacker re-entry via stolen credentials - Quick credential reset is possible

Risk if Not Done: - Attacker can use stolen credentials to re-enter - Lateral movement using stolen creds continues - Breach is not truly contained - Regulatory violation (allowing unauthorized access)

Regulatory Impact: - Essential remediation step - Shows understanding of attack chain - Prevents credential reuse attacks - Regulatory expectation

Team Trade-off: - Low cost (6 Budget) - Quick (1 turn) - Important and often overlooked - Can cause short-term business disruption


Communication Actions

ACTION-09: Customer Notification

Category: Communication Cost: 10 Budget Communication Advance: +20% Duration: 1 turn (but affects later turns) Deadline (v2.2): Recommended by end of Turn 5. If not completed by then: Customer trust -10 at the start of each later turn; if never completed in-game: -15 Reputation at final scoring (deferred statutory violation).

Description: Notify customers that their data may have been breached: - Determine which customers were affected - Prepare notification message - Send via email, mail, or phone - Provide information about what was accessed - Offer credit monitoring/identity protection if applicable - Field customer questions/complaints

Key Details: - Required by breach notification laws ("without unreasonable delay" in California and most U.S. states; GDPR requires notifying individuals without undue delay when risk is high) - Can be very expensive if many customers affected - Notification can cause loss of customer trust - Early notification shows good faith - Delayed notification shows company doesn't care - Impacts Customers stakeholder directly

Regulatory Requirements: - Most laws require notification "without unreasonable delay"; some states set specific outer limits - California: notify without unreasonable delay; CCPA statutory damages fuel class actions - Notification must include: - What information was accessed - Recommended actions - Contact information - Free credit monitoring (sometimes)

When to Use: - Customer data was accessed in breach - Regulatory requirement to notify - Want to rebuild customer trust - Transparency is important

Risk if Not Done: - Regulatory violation (fines, penalties) - Customer discovery + lawsuits - Loss of customer trust (worse than notification) - Reputation damage from cover-up worse than from breach

Regulatory Impact: - Many states REQUIRE customer notification - California law, GDPR, and other state laws all require notification; CCPA statutory damages fuel class actions - Without notification = regulatory violation + fines - Proactive notification = better regulatory relationship

Team Trade-off: - Moderate cost (10 Budget) - Can be done quickly (1 turn) - Required by law (usually) - Impacts Customers stakeholder (see Stakeholder Cards) - Must be done eventually


ACTION-10: Regulatory/Law Enforcement Notification

Category: Communication Cost: 8 Budget Communication Advance: +10% Duration: 1 turn (but ongoing for months) Deadline (v2.2): Must be completed by end of Turn 8 (the GDPR 72-hour anchor). Escalating penalty from Turn 6: if not yet completed, Regulator trust -10 at the start of Turns 6, 7, and 8. If never completed in-game: -20 Reputation at final scoring (deferred fine).

Description: Notify appropriate regulatory agencies: - Contact FBI/Secret Service (federal crimes) - Contact state attorney general (breach notification) - Contact relevant sector regulator (HHS for healthcare, OCC for banking, etc.) - Contact DHS (if critical infrastructure) - Coordinate with law enforcement

Key Details: - Required by law in many cases (healthcare, financial, etc.) - May trigger investigation by law enforcement - Can help recover stolen data - Provides some legal protection - Can delay prosecution (if they're investigating) - Required before public disclosure in some cases

Regulatory Requirements: - EU data (GDPR): Must notify the supervisory authority within 72 hours; fines up to €20M or 4% of global turnover, whichever is HIGHER (narrative-only figure) - Healthcare (HIPAA): Must report to HHS Office for Civil Rights - Financial (GLBA/FFIEC): Must report to banking regulators - Payment cards (PCI-DSS): Must report to card networks - Critical infrastructure: Must report to DHS/CISA

When to Use: - Data breach triggers regulatory requirement - Want law enforcement assistance - Want to establish good faith investigation - Legal team recommends it

Risk if Not Done: - Regulatory violation if required - Law enforcement cannot assist - Company appears to be hiding breach - Regulators may impose penalties

Regulatory Impact: - Required in many cases (legal obligation) - Shows cooperation with authorities - May help recover stolen data - Better regulatory relationship - May reduce penalties (self-reporting)

Team Trade-off: - Moderate cost (8 Budget) - Ongoing (involves multiple turns of coordination) - Required by law (usually) - Impacts Regulators stakeholder (see Stakeholder Cards) - Must be done in most cases


ACTION-11: Media/Public Relations Management

Category: Communication Cost: 12 Budget Communication Advance: +15% Duration: 1 turn (but ongoing for days/weeks)

Description: Manage media coverage and public perception: - Prepare press statement - Contact media proactively - Manage social media response - Coordinate CEO/executive messaging - Defend company reputation - Provide accurate information to media

Key Details: - Can heavily influence public perception - Proactive messaging better than reactive - Media coverage can amplify damage - Poor communication = reputation disaster - Good communication = company "handled it well" - HR firm may be needed (crisis PR)

When to Use: - Breach is significant (likely to attract media) - Company has public reputation risk - Customers are media-aware (B2C more than B2B) - Proactive messaging is possible

Risk if Not Done: - Media covers story with only attacker's perspective - Reputation damage from poor response - Stock price may drop (if public company) - "No comment" looks like company is hiding - Social media amplifies negative coverage

Impact if Done Well: - "Company handled breach responsibly" - Trust is maintained or recovered - Stock price less impacted - Reputation damage is contained - Customer retention better

Team Trade-off: - Higher cost (12 Budget) - Ongoing (multiple turns) - Impacts Media/Board stakeholder (see Stakeholder Cards) - Critical for public companies - Can significantly affect perception


ACTION-12: Board & Shareholder Communication

Category: Communication Cost: 9 Budget Communication Advance: +12% Duration: 1 turn (but triggers Board Meeting - see Event Cards)

Description: Inform board of directors and shareholders about breach: - Prepare incident briefing for board - Present forensics findings - Discuss regulatory/legal implications - Present remediation plan and costs - Discuss risk mitigation going forward - Field board questions

Key Details: - Board must be informed promptly - Disclosure may be required (SEC rules if public company) - Board has fiduciary duty to inform shareholders - Lawsuit risk if board hides information - Board can fire CEO if response is poor - Must include implications for D&O insurance

Regulatory Requirements: - SEC disclosure rules (if public company) - State corporate law (fiduciary duty) - Insurance requirements (D&O coverage)

When to Use: - Board needs to understand breach - Public company (SEC disclosure likely needed) - Board questions will come (better to be prepared) - Shareholder lawsuits are likely

Risk if Not Done: - Board discovers breach from media = crisis of confidence - Shareholder lawsuits for non-disclosure - SEC investigation for disclosure violations - CEO may be fired (looked like hiding information) - Stock price crashes when discovered

Impact if Done Well: - Board is informed and supportive - No surprise when disclosed - Board can defend company (if sued) - Stock market takes news in stride - Organized response is possible

Team Trade-off: - Moderate cost (9 Budget) - Critical for public companies - Impacts Board stakeholder (see Stakeholder Cards) - Required by law (usually) - Complete before EVENT-04 (Board Meeting, scheduled Turn 3) to be "prepared" (see Event Cards)


ACTION-13: Ransom Decision (v2.2)

Category: Crisis Decision Cost: Varies by option (see below) Timing: Play at any time before the ransom deadline (default: start of Turn 5). Playing this card does NOT use your turn's action slot — it is a decision made in addition to your normal action. Once per game. If no decision is made by the deadline, the team is treated as having chosen REFUSE. Used only in scenarios with a ransom/extortion demand.

Choose exactly ONE option:

Option A — PAY - Cost: 20 Budget (≈ $1M at 1 Budget ≈ $50K) - Reputation: -15 at final scoring - Effect: The data-publication event is skipped/cancelled. +20% Remediation immediately (decryption keys restore systems). - No guarantee: The Threat Orchestrator rolls a d20. On 1-5, the keys don't work — no refund, and the Remediation advance is +0% instead of +20%. (The publication event stays cancelled; the attacker took the money and moved on.) - Flavor: "Criminals are not a customer-service organization."

Option B — NEGOTIATE - Cost: 5 Budget (negotiator/counsel fees) - Reputation: -5 at final scoring - Effect: The data-publication event is delayed by 2 turns (default: from start of Turn 5 to start of Turn 7). Buys time to notify stakeholders and remediate before publication.

Option C — REFUSE - Cost: 0 Budget - Reputation: No immediate change. If the data-publication event triggers later: -20 Reputation at final scoring. - Effect: No payment, no delay. Focus budget on investigation, remediation, and communication.

Data-Publication Event (reference): In ransom scenarios, if the team has not PAID by the ransom deadline (default: start of Turn 5; +2 turns if NEGOTIATE), the attacker publishes stolen data: Customer trust -20, Media trust -15 (and the REFUSE scoring penalty above, if applicable).

Legal & practical facts (corrected v2.2): - Payment may violate OFAC sanctions if the threat actor is sanctioned; many insurers restrict or exclude ransom coverage - Law enforcement (FBI) discourages payment — it funds and incentivizes future attacks - Payment does not guarantee data deletion or working keys

Educational Purpose: There is no "right" answer — payment is a genuine trade-off between operational recovery, ethics, legality, and reputation.


Crisis Action Card Summary

Card Category Cost Advance Duration Key Benefit
ACTION-01 Investigation 12 +25% 2 turns Expert forensics
ACTION-02 Investigation 8 +15% 1 turn Find hidden compromises
ACTION-03 Investigation 5 +10% 1 turn Quick log analysis
ACTION-04 Investigation 20 +30% Inv / +20% Rem 3 turns Third-party expertise
ACTION-05 Remediation 10 +20% 1 turn Fix vulnerability
ACTION-06 Remediation 8 +15% 1 turn Contain attacker
ACTION-07 Remediation 15 +25% 2 turns Clean rebuild
ACTION-08 Remediation 6 +12% 1 turn Revoke access
ACTION-09 Communication 10 +20% 1 turn Notify customers (by Turn 5)
ACTION-10 Communication 8 +10% 1 turn Notify regulators (by Turn 8)
ACTION-11 Communication 12 +15% 1 turn Media management
ACTION-12 Communication 9 +12% 1 turn Board notification (before Turn 3)
ACTION-13 Crisis Decision 0/5/20 Pay: +20% Rem Instant Ransom decision (once per game)
Free Communication 0 +5% 1 turn Holding Statement (standing rule, not a card)

Budget floor (v2.2): Budget can never go below 0. If you cannot afford any card, the free Holding Statement is always available.


Gameplay Strategy

Three Competing Objectives

Teams must balance three objectives (each goes 0-100%): - Investigation %: Understand scope and impact - Remediation %: Fix vulnerability and remove attacker - Communication %: Manage stakeholders and public perception

Investigation vs. Remediation Trade-off

Investigation-Heavy Strategy: - Spend early turns investigating (ACTION-01, ACTION-02, ACTION-04) - Then remediate with full knowledge - Advantage: Know exactly what happened - Disadvantage: Takes time, attacker may still be active

Remediation-Heavy Strategy: - Contain and clean immediately (ACTION-06, ACTION-07, ACTION-08) - Investigate after containment - Advantage: Stop attacker quickly - Disadvantage: May miss something, incomplete cleanup

Balanced Strategy: - Do some investigation + some remediation each turn - Use cheaper actions (ACTION-03, ACTION-06, ACTION-08) - Save expensive actions for critical moments - Advantage: Steady progress on all three objectives

Communication Strategy

Early Communication: - Notify stakeholders early (ACTION-09, ACTION-10, ACTION-12) - Show proactive response - Maintain trust and credibility

Late Communication: - Wait until full picture is known - Risk: Stakeholders discover from media - Risk: Looks like hiding information

Selective Communication: - Notify regulators (required by law) - Delay customer notification (if allowed) - Focus on internal response first

Mandatory Beats & Budget (v2.2)

With 50 Budget, the mandatory crisis beats are always affordable:

Cheapest mandatory path: 5 + 8 + 10 + 6 = 29 Budget. A stronger balanced path (ACTION-02 + ACTION-10 + ACTION-09 + ACTION-05 + ACTION-06) costs 44 Budget — still within 50.


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Color-code by action category:
  3. Blue (Investigation): ACTION-01 to ACTION-04
  4. Red (Remediation): ACTION-05 to ACTION-08
  5. Green (Communication): ACTION-09 to ACTION-12
  6. Gold (Crisis Decision): ACTION-13
  7. Include cost in bold on card
  8. Include progress bars (Investigation %, Remediation %, Communication %)
  9. Cut along dotted lines
  10. Track sheets (progress tracks, stakeholder trust): see print pack (coming)

Disaster Recovery Module: Crisis Action Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/disaster-recovery/core-deck/event-cards.md

Disaster Recovery Module: Event Timeline Cards

Version: 2.2 - Playtest Edition Last Updated: October 2025


Overview

Event Cards represent external events that occur during the crisis—some predictable deadlines, some escalations triggered by the team's situation. Events create time pressure and complicate the response.

Money mapping: 1 Budget ≈ $50K. Dollar figures are narrative unless converted to Budget on the card.


The Crisis Clock (v2.2)

The game lasts 8 turns. Each turn is one crisis phase of roughly 6-12 hours of narrative time:

Turn Narrative Time Anchor
1 Detection +6h Internal discovery
2 +12h Legal/executive escalation complete
3 +18h Board meets
4 +24h Day 1 ends
5 +36h Customer notification recommended deadline; default ransom deadline
6 +48h Regulatory escalation begins
7 +60h Legal/government pressure peaks
8 +72h GDPR 72-hour regulatory notification deadline — game ends

All deadlines in this module use this clock. There are no other timers.


Event Deck Procedure (v2.2)

At setup: 1. Place the 6 Scheduled events face-down on the timeline at their printed turns. 2. Place the 6 Triggered events face-up in a reference row where everyone can read their trigger conditions.

Each turn (start of turn): 1. Reveal and resolve any Scheduled event placed on this turn. 2. Check every un-fired Triggered event's condition; resolve any whose condition is now met. 3. Each event fires once per game.

Trust changes from events clamp to 0-100%. Budget changes clamp to a floor of 0.


Scheduled Events

EVENT-01: First Media Coverage

Scheduled: Turn 2 Type: Discovery

Description: A news outlet publishes a story about the breach: - "Company Suffers Data Breach" headline - Unnamed source gives details - Story spreads on social media - Phone starts ringing with reporter calls

Resolution: - If ACTION-11 (Media Management) was completed before this turn: Media trust +5 (proactive framing works) - Otherwise: Media trust -10 (the story runs without your side)

Duration: Ongoing narrative (media coverage continues)


EVENT-04: Board Meeting

Scheduled: Turn 3 Type: Governance

Description: The board of directors holds an emergency meeting to review breach scope, investigation progress, remediation plan, budget, and executive performance.

Resolution: - If ACTION-12 (Board Communication) was completed before this turn: Board trust +10 (prepared briefing) - Otherwise: Board trust -20 (the board learns details from the news, not from you)

Team Preparation: - Should have forensics/investigation underway - Should have preliminary findings - Should have a communication plan - CEO should be briefed


EVENT-03: Customer Notification Window

Scheduled: Turn 5 Type: Deadline checkpoint

Description: Counsel confirms customer notification should not wait any longer. Real-world laws require notification "without unreasonable delay" — in this game, the recommended deadline is end of Turn 5.

Resolution: - If ACTION-09 (Customer Notification) is completed by end of Turn 5: no penalty. If it was framed transparently, +5 Reputation at final scoring. - If not: Customer trust -10 now and at the start of each later turn until ACTION-09 is completed. - Deferred consequence: if customers are never notified in-game, -15 Reputation at final scoring (the statutory notification window is missed after the game ends).


EVENT-09: Shareholder Pressure

Scheduled: Turn 5 (public companies only — skip for private companies) Type: Governance

Description: Shareholder activists contact the board: demand explanations, threaten a proxy fight, and give interviews about leadership failure.

Resolution: - If ACTION-12 (Board Communication) has been completed: Board trust -5 (pressure is absorbed) - Otherwise: Board trust -15


EVENT-02: Regulatory 72-Hour Deadline

Scheduled: Turn 6 (escalation begins; final deadline end of Turn 8) Type: Deadline

Description: The GDPR-style 72-hour clock is running out. Regulators expect notification of the breach (ACTION-10) before the clock expires at end of Turn 8.

Resolution: - If ACTION-10 (Regulatory Notification) is already completed: Regulator trust +5 (early, cooperative notification) - If not: Regulator trust -10 now and at the start of each later turn (Turns 6, 7, 8) until ACTION-10 is completed. - Deferred consequence: if regulators are never notified in-game, -20 Reputation at final scoring (deferred fine — GDPR fines run up to €20M or 4% of global turnover, whichever is HIGHER; narrative-only figure).


EVENT-12: Government Subpoena

Scheduled: Turn 7 (medium/large breaches — skip for small-scope games) Type: Legal

Description: A subpoena arrives (FBI, state attorney general, or a congressional inquiry): turn over evidence, provide executive testimony, comply with the investigation.

Resolution: - Budget -5 (legal fees; floor 0) - Executive trust -10 (executives in the spotlight) - Investigation +5% (compelled evidence-sharing accelerates fact-finding)

Opportunity: an independent investigation can validate a good-faith response; law enforcement may help recover evidence.


Triggered Events

EVENT-05: Customer Class Action Lawsuit

Trigger: ACTION-09 not completed by end of Turn 5, OR Customer trust below 20% at the start of any turn. Type: Legal

Description: A law firm recruits customers and files a class action: "Jane Doe et al. vs. [Company Name]" — failure to protect data, failure to notify in a timely way, damages plus attorney fees.

Effects: - Customer trust -15 - Board trust -10 - -10 Reputation at final scoring

Team Response: Cannot be undone — only mitigated by rebuilding trust for the rest of the game.


EVENT-06: Regulatory Fine

Trigger: Regulator trust below 20% at the start of any turn. (If regulators are never notified in-game, the deferred -20 Reputation from EVENT-02 applies at scoring instead — do not double-apply.) Type: Regulatory

Description: A regulator announces a penalty for inadequate security and delayed cooperation.

Effects: - Budget -10 (≈ $500K; floor 0) - Board trust -10 - -10 Reputation at final scoring

Real-world scale (narrative-only): turnover-based regimes drive the largest penalties — GDPR fines can reach €20M or 4% of global turnover, whichever is HIGHER.


EVENT-07: Media Frenzy

Trigger: Media trust below 20% at the start of any turn, OR no Communication-category action completed by end of Turn 3. Type: Communication

Description: Major outlets pick up the story: national coverage, "Massive Data Breach" headlines, social media amplification.

Effects: - Media trust -20 - Customer trust -15 - Board trust -10

Team Response: ACTION-11 (Media Management) plus visible, transparent leadership.


EVENT-08: Second Breach Discovered

Trigger: At the start of Turn 6, Remediation is below 30% AND ACTION-07 (Rebuild) has not been completed. Type: Escalation — once per game

Description: While responding to the first breach, investigators discover another compromised data store — the attacker maintained hidden persistence.

Effects: - The game extends by +2 turns (once per game): play now runs to Turn 10. Scoring deadlines do NOT move — the regulatory deadline remains end of Turn 8. - Investigation -30% (new breach invalidates part of your picture) - Customer trust -20, Regulator trust -15, Media trust -10, Board trust -15 - Board releases +10 emergency Budget - -10 Reputation at final scoring

Prevention: ACTION-07 (Rebuild), ACTION-04 (Third-Party IR), or strong Remediation progress by Turn 6.


EVENT-10: Competitor Advantage

Trigger: Customer trust below 40% at the start of Turn 5 or any later turn. Type: Business

Description: A competitor launches a "Trust us with your data" campaign aimed at your customers.

Effects: - Customer trust -10 - Budget -5 (lost revenue; floor 0)

Team Response: Customer communication and visible security improvements; trust can rebuild over the remaining turns.


EVENT-11: Key Executive Resignation

Trigger: Executive trust below 30% at the start of any turn. Type: Internal

Description: A key executive (CISO, CTO, General Counsel, or CFO) resigns mid-crisis, citing "personal reasons" — really: "I don't trust this response."

Effects: - Executive trust -10 - Board trust -10 - While Executive trust remains below 30%, the Justification bonus (optional +5% d20) is unavailable — leadership vacuum

Prevention: Regular internal communication, visible progress, board support.


Event Deck Summary (v2.2)

Event Kind Turn / Trigger Core Effect
EVENT-01 First Media Coverage Scheduled Turn 2 Media +5 if ACTION-11 done, else -10
EVENT-04 Board Meeting Scheduled Turn 3 Board +10 if ACTION-12 done, else -20
EVENT-03 Customer Notification Window Scheduled Turn 5 -10 Customer/turn if ACTION-09 late; never = -15 Rep
EVENT-09 Shareholder Pressure Scheduled Turn 5 (public co.) Board -5 (prepared) or -15
EVENT-02 Regulatory 72h Deadline Scheduled Turn 6 (deadline Turn 8) -10 Regulator/turn while un-notified; never = -20 Rep
EVENT-12 Government Subpoena Scheduled Turn 7 (med/large) Budget -5, Exec -10, Investigation +5%
EVENT-05 Class Action Triggered Customers un-notified after T5 or trust <20% Cust -15, Board -10, -10 Rep
EVENT-06 Regulatory Fine Triggered Regulator trust <20% Budget -10, Board -10, -10 Rep
EVENT-07 Media Frenzy Triggered Media <20% or silent through T3 Media -20, Cust -15, Board -10
EVENT-08 Second Breach Triggered T6: Remediation <30%, no rebuild +2 turns (once), Inv -30%, trust hits, -10 Rep
EVENT-10 Competitor Advantage Triggered Customer trust <40% from T5 Cust -10, Budget -5
EVENT-11 Executive Resignation Triggered Executive trust <30% Exec -10, Board -10, no Justification bonus

Deadline Summary (v2.2 — the only clock)

Deadline Turn If missed
Internal legal/executive escalation End of Turn 2 Narrative only (relabeled from the old "12-hour regulatory deadline" — the regulatory anchor is GDPR 72h)
Customer notification (ACTION-09) recommended End of Turn 5 Customer trust -10/turn; EVENT-05 may trigger; never notified = -15 Reputation at scoring
Ransom decision (ACTION-13) Start of Turn 5 (default; +2 turns if NEGOTIATE) Treated as REFUSE; data-publication event fires
Regulatory notification (ACTION-10) End of Turn 8 (escalating from Turn 6) Regulator trust -10/turn from Turn 6; never notified = -20 Reputation at scoring

Former "30-day"/"60-day" deadlines from v2.1 are re-expressed as the deferred final-scoring consequences above — they no longer exist as separate timers.


Turn Sequence with Events (reference)

Standard 8-Turn Disaster Recovery Game:

Turn Scheduled Event Typical Focus
1 Investigate, contain
2 First Media Coverage Investigation, media prep
3 Board Meeting Board briefed, regulators notified early
4 Remediation
5 Customer Notification Window + Shareholder Pressure Customer notification, ransom decision
6 Regulatory 72h Deadline (escalation begins) Regulators notified (if not already), remediation
7 Government Subpoena Final remediation, communication
8 — (game ends at +72h) Wrap-up actions, final scoring

Gameplay Strategy

Early Game (Turns 1-3)

Mid Game (Turns 4-6)

Late Game (Turns 7-8)


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Color-code by event kind:
  3. Blue (Scheduled): EVENT-01, EVENT-02, EVENT-03, EVENT-04, EVENT-09, EVENT-12
  4. Orange (Triggered): EVENT-05, EVENT-06, EVENT-07, EVENT-08, EVENT-10, EVENT-11
  5. Print the scheduled turn (or trigger condition) prominently on each card
  6. Include consequences clearly
  7. Cut along dotted lines
  8. Event timeline mat: see print pack (coming)

Disaster Recovery Module: Event Timeline Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/disaster-recovery/core-deck/stakeholder-cards.md

Disaster Recovery Module: Stakeholder Cards

Version: 2.2 - Playtest Edition Last Updated: October 2025


Overview

Stakeholder Cards represent the key groups affected by a data breach. Each stakeholder has a trust/satisfaction level (0-100%) that changes based on team actions. Stakeholders can escalate if not managed (triggering Events and budget costs).

Trust Thresholds & Loss (v2.2 — the ONE authoritative rule)

All older thresholds ("<30% trust = loss", "keep above 30/40/50 to win") are removed in v2.2.


Stakeholder Cards

STAKE-01: Customers

Stakeholder Type: External Primary Concern: Data privacy and service availability Trust Meter: Starts at 50% Decay (v2.2): From Turn 3 onward, if the team has completed no Communication-category action (the free Holding Statement counts), Customer trust -10 at the start of each turn. This does not stack with the Turn-5 notification penalty (EVENT-03) — apply one, not both, per turn. Below 20% = CRITICAL warning state (may trigger EVENT-05).

Description: The customers whose data was breached. They want to know: - What data was accessed - Whether it was encrypted - What they should do (change password, watch credit) - Whether the company is protecting them - Whether to switch providers

Behavior: - High Trust (70%+): Continue using service, minor PR impact - Medium Trust (40-70%): Some customer loss, but company is "handling it" - Low Trust (<40%): Customer exodus, lawsuits, regulatory investigation - Critical (<20%): Mass churn, bankruptcy risk, acquisition/collapse

What Affects Trust: - Increases Trust: - Customer Notification (ACTION-09): +15% - Public statement about patch/fix: +5% - Free credit monitoring offer: +10% - Quick response time: +5% per turn if investigating

Goal: - Ideally maintain above 50% for a positive outcome (trust feeds the final Reputation computation)

Loss (v2.2 single rule): - Customer trust at 0% = company collapses (immediate loss) - Narrative: mass churn, lawsuits, bankruptcy/acquisition

Crisis Actions That Help: - ACTION-09 (Customer Notification): +15% trust - ACTION-11 (Media Management): +10% trust - Any remediation action that shows progress: +2-5%

Special Events: - If trust drops too low, class action lawsuit filed (see Event Cards) - If trust stays high, customer retention and recovery possible - Media coverage affects customer trust (see Stakeholder: Media)


STAKE-02: Regulators

Stakeholder Type: Government/Legal Primary Concern: Compliance with breach notification laws Trust Meter: Starts at 60% Escalation (v2.2): If ACTION-10 is not completed, Regulator trust -10 at the start of each turn from Turn 6 (see EVENT-02). Below 20% = CRITICAL warning state (triggers EVENT-06 Regulatory Fine).

Description: Government agencies that regulate data privacy: - State attorneys general (breach notification laws) - Federal regulators (healthcare, financial, etc.) - International regulators (GDPR if any EU customers) - Law enforcement (FBI, Secret Service)

Behavior: - High Confidence (70%+): Voluntary cooperation, no penalties - Medium Confidence (40-70%): Investigation, possible fines - Low Confidence (<40%): Aggressive investigation, significant fines - Critical (<20%): Criminal prosecution, company shut down

What Affects Regulatory Confidence: - Increases Confidence: - Regulatory Notification (ACTION-10): +20% - Prompt customer notification: +10% - Third-party incident response (ACTION-04): +15% - Forensics evidence: +10% - Proactive remediation: +5%

Regulatory Requirements Vary (real-world flavor; the in-game clock is GDPR 72h = end of Turn 8): - GDPR (EU): Notify supervisory authority within 72 hours; fines up to €20M or 4% of global turnover, whichever is HIGHER - California: Notify without unreasonable delay; CCPA statutory damages fuel class actions - HIPAA: Notification within 60 days (healthcare) - Sector-Specific: Finance, healthcare have stricter rules

Goal: - Maintain regulatory confidence above 50% - Comply with the Turn-8 notification requirement

Loss (v2.2 single rule): - Regulator trust at 0% = company collapses (immediate loss) - Narrative: crippling fines, criminal prosecution, license revoked

Crisis Actions That Help: - ACTION-10 (Regulatory Notification): +20% confidence - ACTION-04 (Third-party IR): +15% confidence - ACTION-05, ACTION-07 (Remediation): +5-10%

Special Events: - If notification deadline missed: Regulatory Penalty Event - If confidence drops too low: Fine Assessment Event - If properly handled: Regulatory Cooperation Event (reduced penalties)


STAKE-03: Media / Public

Stakeholder Type: External / Communication Primary Concern: Newsworthy story (bigger = bigger problem) Trust Meter: Starts at 40% (media is naturally skeptical) Escalation: Escalates based on company response quality

Description: Media outlets, journalists, bloggers, social media. Media decides whether breach is: - Small tech story (1 article) - Major business news (multiple outlets, days) - National news (major outlets, weeks) - International scandal (global coverage)

Behavior: - Positive Coverage (70%+): "Company handled breach well", trust maintained - Neutral Coverage (40-70%): Matter-of-fact reporting, some concern - Negative Coverage (<40%): "Company slow to respond", "Cover-up suspected" - Scandal (<20%): Major negative coverage, "Company failed customers"

What Affects Media Coverage: - Positive Factors: - Proactive media statement (ACTION-11): +20% - Quick notification (customers notified by end of Turn 5): +15% - CEO takes responsibility: +10% - Transparent communication: +10% - Third-party validation: +5%

Media Impact on Business: - Positive media → customers stay, suppliers trust company - Negative media → customers leave, stock price drops, suppliers question - Scandal media → business collapse possible, bankruptcy risk

Goal: - Maintain media trust above 40% - Frame narrative as "company handled responsibly" - Minimize negative coverage (below 20% = CRITICAL warning; triggers EVENT-07)

Loss (v2.2 single rule): - Media trust at 0% = company collapses (immediate loss) - Narrative: negligence narrative sticks, stock crash, consumer boycott

Crisis Actions That Help: - ACTION-11 (Media Management): +20% coverage - ACTION-09 (Customer Notification): +5% (transparency) - ACTION-12 (Board Communication): +5% (if credible)

Special Events: - If company is silent: "Media Frenzy" Event (increased coverage) - If company responds well: "Positive Coverage" Event (mitigates damage) - If executives hide: "Cover-up Narrative" Event (major damage)


STAKE-04: Board of Directors

Stakeholder Type: Internal / Governance Primary Concern: Company liability and fiduciary duty Trust Meter: Starts at 70% (board is inherently supportive initially) Escalation: Drops if response is inadequate; may fire CEO

Description: Board of directors (and C-level executives if private company). Board must: - Fulfill fiduciary duty to shareholders - Authorize major spending (crisis response can be very expensive) - Decide on disclosure (SEC rules if public) - Decide on executives' future (fire/retain CEO) - Manage shareholder relationships

Behavior: - High Confidence (70%+): Board is supportive, authorizes spending, defends executives - Medium Confidence (40-70%): Board is questioning, scrutinizes spending, considers changes - Low Confidence (<40%): Board is critical, may fire CEO, considers restructuring - Critical (<20%): Board votes to remove management, sell company, or file bankruptcy

What Affects Board Confidence: - Increases Confidence: - Board Notification (ACTION-12): +20% - Professional incident response: +15% - Quick containment: +10% - Good regulatory relationship: +10% - Transparent communication: +5%

Board Decision Points (v2.2 clock): - Turn 3: Board Meeting (EVENT-04; ACTION-12 should be done before it) - Board decides if CEO retains confidence - Major spending approvals (forensics, lawyers, PR) - Disclosure decisions

Goal: - Maintain board confidence above 50% - Board authorizes necessary spending - Executives retain their positions (below 20% = CRITICAL warning state)

Loss (v2.2 single rule): - Board trust at 0% = company collapses (immediate loss) - Narrative: CEO fired, forced sale, bankruptcy filing

Crisis Actions That Help: - ACTION-12 (Board Notification): +20% confidence - ACTION-04 (Third-party IR): +15% (shows professional response) - ACTION-01, ACTION-07 (Forensics/Rebuild): +5-10%

Special Events: - Turn 3: Board Meeting Event (first assessment) - If confidence drops low: "CEO Removed" Event (new CEO, game becomes harder) - If well-managed: "Board Confidence Maintained" Event (positive modifier)


STAKE-05: Executive Leadership

Stakeholder Type: Internal / Management Primary Concern: Job security and company survival Trust Meter: Starts at 80% (executives are naturally supportive initially) Escalation: Drops if response is chaotic; may resign or sabotage

Description: C-level executives (CEO, CTO, CFO, CISO, General Counsel) who must: - Make critical decisions under pressure - Coordinate crisis response - Handle media inquiries - Present to board - Ensure company continues operating - Manage their own careers/reputations

Behavior: - High Morale (70%+): Executives are focused, coordinated, decisive - Medium Morale (40-70%): Executives are stressed, some disagreements, slower decisions - Low Morale (<40%): Executives may resign, infighting, poor decisions - Critical (<20%): Executive exodus, chaos, no leadership

What Affects Executive Morale: - Increases Morale: - Clear incident response plan: +15% - Professional guidance (consultants): +10% - Regular communication/updates: +5% per turn - Board support: +10% - Progress on containment: +5%

Executive Departures Risk: - If morale drops too low, key executives resign - Each resignation removes their expertise from future decisions - Replacement executives are less effective initially - Crisis becomes harder to manage

Goal: - Maintain executive morale above 50% - Prevent key executive resignations (below 30% triggers EVENT-11; below 20% = CRITICAL warning state) - While Executive trust is below 30%, the Justification bonus is unavailable (see EVENT-11)

Loss (v2.2 single rule): - Executive trust at 0% = company collapses (immediate loss) - Narrative: executive exodus, leadership vacuum, chaos

Crisis Actions That Help: - Regular communication: +5% per turn - Professional response team: +10% - Regulatory/customer progress: +5% - Board confidence: +10%

Special Events: - If morale drops low: "Executive Resignation" Event (key person leaves) - If morale stays high: "Leadership United" Event (positive coordination bonus) - Media attacks on executives: Morale drop (-10%)


Stakeholder Summary

Stakeholder Type Start Trust Critical Warning Primary Actions
Customers External 50% <20% ACTION-09 (notify), ACTION-11 (PR)
Regulators Government 60% <20% ACTION-10 (notify), ACTION-01/04 (forensics)
Media External 40% <20% ACTION-11 (PR), ACTION-09 (transparency)
Board Internal 70% <20% ACTION-12 (notify), ACTION-04 (guidance)
Executives Internal 80% <20% (resignations from <30%) Regular communication, success indicators

Reminder (v2.2): critical is a warning state only. The single loss condition is any trust meter at 0%. Meters clamp to 0-100%.


Gameplay Strategy

Multi-Stakeholder Management

Teams must balance managing five competing stakeholder groups:

Prioritization Strategy 1: External First - Focus on Customers and Media - Maintain public trust - Regulators will follow - Risk: Internal management gets neglected

Prioritization Strategy 2: Internal First - Focus on Board and Executives - Maintain leadership confidence - Internal team makes better decisions - Risk: External stakeholders (customers, media) get neglected

Prioritization Strategy 3: Balanced - Do some actions for each stakeholder group - Distribute budget across all notifications - More complex but sustainable - Risk: Medium progress on all, complete on none

Prioritization Strategy 4: Targeted - Identify critical stakeholder (maybe regulators) - Focus budget there - Neglect others - Risk: Single stakeholder collapse

Stakeholder Interactions

Stakeholders influence each other: - Media → Customers: If media says "company hid breach", customers distrust (stack penalties) - Regulators → Customers: If regulator fines company, customers see company as unsafe - Board → Executives: If board removes CEO, executives lose confidence - Executives → Board: If executives resign, board loses confidence in response - Customers → Stock Price: If customer trust drops, stock price drops (affects Board decisions)


Escalation Mechanics

Each stakeholder's escalation matches a Triggered Event (see Event Cards — those are the authoritative conditions):

Customers Escalate If:

Regulators Escalate If:

Media Escalates If:

Board Escalates If:

Executives Escalate If:


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Color-code by stakeholder type:
  3. Blue (External): STAKE-01 (Customers), STAKE-03 (Media)
  4. Red (Internal): STAKE-04 (Board), STAKE-05 (Executives)
  5. Purple (Government): STAKE-02 (Regulators)
  6. Include trust meter on each card (0-100% indicator)
  7. Include escalation triggers
  8. Cut along dotted lines
  9. Stakeholder tracker sheet: see print pack (coming)

Disaster Recovery Module: Stakeholder Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/disaster-recovery/expansion-deck/advanced-scenarios.md

Disaster Recovery Module: Advanced Crisis Scenarios (Expansion)

Version: 2.2 - Playtest Edition Last Updated: October 2025


Overview

Advanced Scenario Cards extend the Disaster Recovery module with sophisticated, multi-faceted crisis situations that challenge experienced crisis management teams.

How scenarios work (v2.2): each scenario is played with the standard core rules — same 8-turn clock, same Action/Event/Stakeholder cards, same scoring. A scenario adds its "Special Events" as extra Scheduled events on the timeline at setup, and applies its concrete Difficulty (v2.2) effects (listed per scenario, replacing the old percentage "difficulty multipliers"). The only mechanical layers are the Special Events and the Difficulty block; "Cost Implications" sections are narrative color for the debrief. Dollar figures are narrative-only unless converted at 1 Budget ≈ $50K.


Advanced Crisis Scenarios

SCENARIO-01: Multi-Region Breach with Data Sovereignty Issues

Complexity: ADVANCED Affected Regions: US + EU + Asia Primary Challenge: Different legal requirements for different regions

Description: Breach affects customer data in multiple countries with different privacy laws: - US (California): notify without unreasonable delay; CCPA statutory damages fuel class actions - EU (GDPR): 72-hour notification deadline; fines up to €20M or 4% of global turnover, whichever is HIGHER - Asia (varies): Different deadlines and requirements in each country

Data residency requirements mean: - EU customer data cannot be transferred to US servers - Forensics must happen in country where data is stored - Different regulators in each country demand investigation - Different notification laws require different messages

Key Complications: - Timeline Conflict: EU regulators demand notification faster than the domestic clock; US requires notification without unreasonable delay; Asia varies - Legal Conflict: EU GDPR vs. US lawful intercept (conflicting requirements) - Investigation: Must conduct forensics in multiple jurisdictions simultaneously - Costs: Multi-region response = much higher costs

Team Decision Points: 1. Which region to prioritize (cannot satisfy all simultaneously) 2. How to conduct forensics across jurisdictions 3. How to notify customers differently per region 4. How to handle conflicting regulatory requirements

Special Events (added to the timeline at setup): - Turn 2: EU regulators demand notification — a second ACTION-10 play (EU filing) is due by end of Turn 4 - Turn 5: International regulators demand investigation coordination (Regulator trust -5 if Investigation is below 25%) - Turn 6: Data residency complication — if the EU filing was missed, Regulator trust -10 per turn (in place of, not stacked with, the core EVENT-02 escalation)

Cost Implications: - Multi-region legal and forensics overhead: see Difficulty below - Regulatory fines can stack across jurisdictions (narrative-only) - Notification costs: translations, different templates, regulatory filings

Team Response: - Must prioritize regions (satisfy EU first due to timeline) - Must engage local lawyers in each jurisdiction - Must conduct compliant investigation (following local laws) - Communication % must advance faster than usual

Difficulty (v2.2): - All Communication advances -5% (multi-jurisdiction overhead; minimum +5%) - A second regulator notification (EU) is required by end of Turn 4 (ACTION-10 played twice this game) - Set aside 5 Budget at setup as a translation/filing reserve (unavailable for actions)


SCENARIO-02: Ransomware with Extortion Threat

Complexity: ADVANCED Attacker Demand: $10M ransom or threaten to sell/publish data Primary Challenge: Responding to extortion threats

Description: Attacker not only encrypted data but also stole data and threatens public disclosure: - "Pay up or we publish 50GB of customer PII on dark web" (demand ≈ 20 Budget; narrative "$10M" for a large enterprise) - Attacker provides proof of data access (sample files) - Extortion email sent to CEO and board - Attacker sets the deadline at the start of Turn 5 (the core ACTION-13 ransom deadline)

Key Complications: - Payment Question: Pay ransom or not? - Paying: Funding criminal enterprise, no guarantee of data deletion - Not paying: Risk of data publication (massive PR disaster) - Disclosure Dilemma: Tell customers about extortion threat? - Yes: Customers fear data will be published - No: If data is published, looks like cover-up - Law Enforcement: FBI recommends not paying (incentivizes more attacks) - Backup Reliance: Can you recover without paying?

Timeline Pressure (Special Events added at setup): - Turn 1: Extortion email; ransom deadline set at start of Turn 5 - Turn 2: First partial data publication (attacker shows they have data): Media trust -5 - Turn 3: Attacker lowers price (negotiation attempt; pure roleplay — ACTION-13 costs are unchanged) - Turn 5: Deadline reached — resolve ACTION-13 as printed (publish if unpaid; +2 turns if NEGOTIATE)

Financial Dilemma: - Ransom: payment may violate OFAC sanctions if the actor is sanctioned; many insurers restrict or exclude ransom coverage - Recovery from backup: Slow (if backups exist) - Data publication: Regulatory fines + lawsuits (potentially $50M+ liability; narrative-only) - Public disclosure: Stock price crash, customer loss

Team Decisions: 1. Pay ransom? (Risk: Encourages future attacks, no guarantee) 2. Attempt to recover from backup? (Risk: Slow recovery, data loss) 3. Notify customers before/after data publication? (Risk: Either way is bad) 4. Notify regulators? (Required, but shows full extent of damage)

Law Enforcement Engagement: - FBI may take over investigation (federal crime) - Reduces team's control of situation - May recommend decoy ransom negotiation (catch attacker) - Investigation may take weeks (slow response)

Special Events (added to the timeline at setup): - Turn 3: Media discovers extortion threat ("CEO held for ransom"): Media trust -10 - Turn 4: Attacker releases more sample data: Customer trust -5

Cost Implications: - Ransom: 20 Budget if paid (ACTION-13 PAY, as printed) - FBI coordination and extortion-specific notification overhead: see Difficulty below - Regulatory fines if data published: narrative-only (GDPR-scale)

Difficulty (v2.2): - Remediation advances are halved until ACTION-13 is declared (operational paralysis while the decision hangs) - Use ACTION-13 exactly as printed; the ransom deadline is start of Turn 5


SCENARIO-03: Supply Chain Compromise (Vendor Breach Affects Customers)

Complexity: ADVANCED Vector: Breach compromises customers' data at YOUR company's data store Primary Challenge: Managing responsibility for vendor compromise

Description: Investigation reveals attacker didn't target your company directly—they compromised a vendor you use: - Your company uses cloud storage vendor (e.g., competitor to AWS) - That vendor was breached - Attacker gained access to YOUR customer data stored at vendor - Question: Who is responsible? You? Vendor? Both?

Key Complications: - Liability Question: - You're liable to customers (you selected vendor) - Vendor is liable (their security failure) - Customers might sue both - Vendor Response: - Vendor may be uncooperative (deny liability) - Vendor may be bankrupt (vendor company collapse during breach) - Vendor may not investigate properly - Notification Question: - Tell customers you chose bad vendor? - Or just notify about data breach without explaining vendor? - Either way looks bad - Investigation: - Must investigate vendor (not your own systems) - Vendor may not cooperate - Limited forensic access (you don't control vendor systems) - Regulatory agencies may blame you anyway

Responsibility & Liability: - Customer lawsuits: "You failed to vet vendor properly" - Regulatory fines: "You failed to oversee third-party risk" - Vendor lawsuits: "Vendor refuses to pay damages" - Vendor bankruptcy: "Vendor can't pay, customers turn to you"

Team Decisions: 1. Blame vendor (legally risky, looks bad) 2. Share responsibility (legally safer, but costs more) 3. Quickly terminate vendor relationship (looks reactive) 4. Demand vendor pay for notification/remediation (vendor may refuse)

Special Events: - Turn 1: Discovery that vendor was breached - Turn 2: Vendor denies liability / claims it's your responsibility - Turn 3: Regulatory agency demands to know vendor details - Turn 4: First customer lawsuit against both you AND vendor - Turn 5: Vendor declares bankruptcy (can't pay damages)

Cost Implications: - Investigation into vendor: +8 Budget (forensics at vendor site) - Legal: +20 Budget (defending against liability claims) - Regulatory fines: Potentially full amount (you're still liable) - Customer lawsuits: Likely regardless of vendor's role - Vendor transition: +15 Budget (switch to new vendor, migrate data)

Communication Challenge: - Customers angry at you (you chose bad vendor) - Media: "Company failed to vet third-party security" - Regulatory: "Poor third-party risk management" - Board: "Why did we use this vendor?"

Difficulty (v2.2): - Investigation advances -5% (no direct access to vendor systems; minimum +5%) - Set aside 10 Budget at setup as a legal reserve (unavailable for actions) - Turn-5 Special Event: vendor declares bankruptcy — Board trust -10


SCENARIO-04: Insider Threat Revealed Mid-Crisis

Complexity: ADVANCED Attacker: Current employee, not external hacker Primary Challenge: Organizational trauma and trust collapse

Description: During investigation of external breach, forensic team discovers: - The "external breach" had help from insider - Employee provided attacker with access/credentials - Employee may have also exfiltrated data - Employee is still working at company (not yet caught)

Key Complications: - Who is involved? - Single rogue employee? - Conspiracy (multiple employees)? - Which departments are involved? - Motive: - Disgruntled employee selling data - Corporate espionage (hired by competitor) - Theft for personal gain - Political/ideological motivation - Scope: - What other systems did insider compromise? - What data did they access/steal? - How long were they active? - Are there other insiders? - HR/Legal: - Fire the employee immediately (risks legal action) - Continue employment while investigating (ethics question) - Involve law enforcement (police investigation) - Civil litigation from employee (wrongful termination claims)

Organizational Impact: - Trust in employees collapses - Morale plummets (people suspect each other) - Staff paranoia increases - Executive distraction (investigating insider)

Special Events: - Turn 2: Forensics discovers insider involvement - Turn 3: HR/Legal team must decide: fire or investigate? - Turn 4: If fired, wrongful termination lawsuit likely - Turn 4: If not fired, employee may destroy more evidence - Turn 5: Law enforcement investigation (if reported to police)

Team Decisions: 1. Immediately fire employee (legal risk but stops damage) 2. Continue employment while investigating (ethical but risky) 3. Involve law enforcement (criminal investigation, slow) 4. Settle potential lawsuits preemptively (expensive)

Investigation Complexity: - Cannot trust employee's explanations - Must verify what employee had access to - Must recover deleted data/logs - Must interview other employees - Investigation takes much longer (suspicious of everyone)

Cost Implications: - Extended forensics: +15 Budget (investigating employee) - Legal: +25 Budget (employment law, potential settlements) - HR investigation: +8 Budget (interview staff, background checks) - Remediation: +20 Budget (credential reset, system rebuild) - Potential lawsuit: Millions if significant

Communication Challenge: - Cannot publicly disclose insider involvement (defamation risk) - Regulators and customers demand explanation - Media: "Company had insider threat" - Board: "Why was security so bad?"

Difficulty (v2.2): - Investigation advances are halved until Investigation reaches 50% (internal accounts cannot be trusted) - Executive trust starts at 60% (instead of 80%) - ACTION-08 (Credential Reset) is effectively mandatory — if not completed by end of Turn 6, EVENT-08 (Second Breach) fires automatically


SCENARIO-05: Critical Infrastructure Breach (Safety/Lives at Risk)

Complexity: ADVANCED+ Sector: Utilities, Healthcare, Transportation, Manufacturing Primary Challenge: Physical safety takes priority over cybersecurity response

Description: Breach affects critical infrastructure where compromise could cause physical harm: - Healthcare: Hospital network compromise during surgery (patient safety risk) - Utilities: Power grid compromise during storm (people without power/heat) - Transportation: Traffic system compromise (accidents possible) - Manufacturing: Production system compromise (equipment failure)

Key Complication: Safety > Security - Cannot shut down system for forensics if people are harmed - Cannot remediate if it requires system downtime - Incident response must preserve operational safety - Balances security investigation with operational continuity

Regulatory Escalation: - CISA (Cybersecurity Infrastructure Security Agency) involved immediately - National Incident Command System (NICS) may take over - Government mandates response (not optional) - Military/intelligence agencies may be involved - Cannot investigate without government approval

Special Considerations: - Lives are at stake (not just data) - Response priorities are: Safety → Containment → Investigation - Traditional forensics may be impossible (system must stay operational) - Attacker knows system is critical (leverage for negotiation)

Special Events: - Turn 1: CISA declaration of critical infrastructure incident - Turn 2: Government takes partial control of response (may override company decisions) - Turn 3-4: Attacker threatens system shutdown (extortion using safety risk) - Turn 5: Coordinated media/government briefings (national security implications)

Team Decisions: 1. Continue operations (risk of safety incident) or shut down (risk to people without service)? 2. Engage with government agencies (lose control of response) 3. Negotiate with attacker (payment may violate OFAC sanctions if the actor is sanctioned; government will weigh in) 4. Accept potential service interruption (for safety)

Cost Implications: - Immediate government response: +50 Budget (federal agencies) - Operational impact: Unknown (depends on what breaks) - Remediation: Cannot shut down system (very limited options) - Investigation: Deferred (safety is priority) - National security classification: Investigation may be classified (cannot discuss publicly)

Communication Challenge: - Cannot disclose security details (national security) - Cannot disclose full scope (might encourage copycat attacks) - Public panic risk (if people know infrastructure is vulnerable) - Media cannot report full details (government requests)

Difficulty (v2.2): - Remediation advances are halved (systems must stay operational — no downtime allowed) - Communication advances -5% (national security disclosure restrictions; minimum +5%) - ACTION-13 PAY is unavailable (government prohibits payment) - Turn-1 Special Event: CISA declaration — Regulator trust starts at 50% but ACTION-10 gives +25 instead of +20 (cooperation is rewarded)


SCENARIO-06: Stock Price Crash (Public Company Panic)

Complexity: ADVANCED Trigger: Negative media coverage + analyst downgrades Primary Challenge: Managing financial crisis alongside security crisis

Description: Public company stock price crashes following breach announcement: - News of breach announced - Stock drops 10-20% in first day - Short-sellers amplify negative sentiment - Analysts downgrade stock rating - Institutional investors sell (panic selling) - Stock drops 30-50% or more

Key Complications: - Financial Crisis: - Company loses market value ($1B+ in some cases) - Credit rating downgrade possible - Difficulty accessing credit markets - Acquisition at depressed price possible - Board/Shareholder Panic: - Shareholders demand CEO removal - Board may fire executives immediately - Board may accept lowball acquisition offer - Media coverage of internal turmoil - Business Disruption: - Employee morale crashes (stock is part of compensation) - Key employees leave (seeking more stable companies) - Customer confidence drops - Supplier payment delays (credit rating issue) - Business slows due to loss of employee focus

Investor Psychology: - Fear-driven selling (stock is "falling knife") - Rumors spread (company is bankruptcy risk) - Technical traders amplify selling (algorithmic trading) - Recovery takes months/years even if breach is minor

Special Events: - Turn 1: Stock drops 20% (breach announcement) - Turn 2: Analyst downgrades (stock drops another 15%) - Turn 3: Media "Death Spiral" narrative ("Company Doomed") - Turn 4: Short-seller report (negative narrative amplified) - Turn 5: Activist investor demands board change - Turn 6: Acquisition offer from vulture investor (lowball) - Turn 7: Board may accept acquisition (loses independence)

Team Decisions: 1. Focus on crisis response (stock takes care of itself) 2. Spend effort on investor relations (PR effort) 3. Respond to activist pressure (appeasement or defiance?) 4. Accept acquisition offer or fight it?

Indirect Crisis Complications: - Cannot spend freely on response (stock-based credit) - May need to cut crisis response budget (unexpected) - Board becomes distracted (shareholder meetings, hostile negotiations) - Executives leave (job market is competitive) - Crisis response effectiveness drops

Cost Implications: - Investor relations campaign: +10 Budget - Board/shareholder meetings: Distraction (-10 effectiveness) - Potential acquisition: Loss of independence - Employee departures: Loss of key expertise - Credit access: May be restricted (raises costs)

Communication Challenge: - Must manage investor narrative (balance hope + realism) - Must appear competent (or stock collapses more) - Media attention is intense (every statement scrutinized) - Cannot show weakness (stock market punishes)

Difficulty (v2.2): - Board trust starts at 50% (instead of 70%) - Budget -10 at setup (credit crunch) - EVENT-09 (Shareholder Pressure) fires at Turn 3 AND Turn 5 (it is scheduled twice this game)


SCENARIO-07: Ransomware + Data Breach + Business Email Compromise

Complexity: ADVANCED+ Multiple Simultaneous Compromises: Systems encrypted + data stolen + email account compromised Primary Challenge: Responding to multiple attack objectives simultaneously

Description: Not a single attack but multiple overlapping compromises: 1. Ransomware: File servers encrypted (production stops, cannot access files) 2. Data Breach: Database stolen (customer data exfiltrated) 3. Email Compromise: CEO's email account compromised (attacker can send as CEO)

Key Complications: - Attacker has multiple leverage points: - "Pay ransom or systems stay encrypted" (operational pressure) - "Pay to prevent data publication" (financial/reputational pressure) - "Stop responding or we'll send fake CEO email" (social engineering pressure) - Investigation difficulty: - Multiple attack vectors to investigate - May be different attackers or coordinated campaign - Each compromise has different timeline - Cannot determine if attacks are related or independent - Remediation priorities clash: - Decrypt systems immediately (get operations back) - Recover stolen data (prevent publication) - Secure CEO email account (prevent further compromise) - Cannot do all three at once (budget/time constraints)

Special Complications: - Fake CEO Email Risk: - Attacker sends email as CEO - "Approves" emergency spending - "Authorizes" data transfers - "Orders" employee actions - Teams cannot tell if email is real - Timeline Acceleration: - Email compromise creates urgency - Attacker can impersonate executives - Must immediately notify all employees - Breach of trust (employees distrust CEO emails)

Special Events: - Turn 1: Discovery of ransomware + data breach - Turn 2: Discovery of CEO email compromise - Turn 3: Fake CEO email sends "emergency transfer" (employees confused) - Turn 4: Attacker threatens to send more fake emails (escalation) - Turn 5: Ransom deadline, data publication deadline, email account deadline (all converging)

Investigation Complexity: - Three separate forensics investigations (expensive) - Each compromise requires different approach - Timelines may overlap (more complexity) - May be related (same attacker) or unrelated (unlucky)

Cost Implications: - Triple forensics: +20 Budget (investigating all three) - Triple ransom/extortion demands: $10M+ total - Remediation: +25 Budget (rebuild files, backup, email security) - Communication: +15 Budget (notifying employees about fake emails) - Regulatory fines: Stacked (multiple breach types)

Team Decisions: 1. Which compromise to prioritize? (Cannot fix all simultaneously) 2. Pay multiple ransoms or negotiate single amount? 3. How to prevent fake CEO emails during investigation? 4. How to rebuild trust after email compromise?

Communication Challenge: - Must warn employees about fake emails (careful wording) - Cannot fully disclose CEO email compromise (executive embarrassment) - Must appear to have control (or stock crashes) - Media narrative: "Multiple breaches mean security is very bad"

Difficulty (v2.2): - +2 turns of events: EVENT-08 (Second Breach) is pre-armed and fires automatically at Turn 6 (once) — the game runs 10 turns - All track advances -5% (three simultaneous investigations; minimum +5%) - The ransom deadline covers all three extortion threats — one ACTION-13 decision resolves them together


SCENARIO-08: Breach During Merger/Acquisition (Regulatory + Deal Complications)

Complexity: ADVANCED+ Context: Breach happens while company is being acquired or merging Primary Challenge: Managing breach while deal dynamics change

Description: Breach is discovered during critical phase of M&A transaction: - Company announced acquisition/merger - Deal close in 30-45 days - Due diligence is underway (acquirer evaluating company) - Breach discovered mid-deal - Acquirer may walk away (reduces deal value or terminates) - Regulators may block deal (antitrust, security concerns)

Key Complications: - Deal Dynamics: - Acquirer discovers breach during due diligence - Acquirer may lower offer price (leverage) - Acquirer may demand warranty/escrow (financial penalty) - Deal may fail entirely (destroys shareholder value) - Information Control: - Acquirer has limited information (still under NDA) - Seller has incentive to minimize breach - Acquirer has incentive to maximize perceived severity - Buyer/seller information asymmetry complicates response - Regulatory Issues: - Merger may be blocked for security concerns - FTC may demand security improvements (delay deal) - State regulators may oppose merger (security risk) - Deal timing already tight (additional scrutiny delays close) - Board Pressure: - Board wants to preserve deal value - May demand minimal response (to not disclose full scope) - May pressure executives to downplay breach - Creates pressure for inadequate response

Timeline Pressure: - Deal must close in 30-45 days - Breach response takes time - Regulatory review adds time - Conflicting priorities: Deal vs. Response

Special Events: - Turn 1: Breach discovered, acquirer learns in due diligence - Turn 2: Acquirer threatens to walk away (leverage) - Turn 3: Price renegotiation (acquirer lowers offer 10-20%) - Turn 4: Regulatory delay (FTC requests documents) - Turn 5: Deal extension negotiations (need more time for breach response) - Turn 6: Shareholder lawsuit (shareholders allege breach was hidden)

Team Decisions: 1. Full disclosure to acquirer (cooperation but deal value drops) 2. Minimal disclosure (preserve deal but fraud risk) 3. Separate negotiation: breach response vs. acquisition terms 4. Push for deal delay (to respond properly to breach)

Complex Incentives: - Company wants: - Deal to close at good price - Breach to be minimized - Acquirer to handle breach remediation - Acquirer wants: - Full disclosure of breach - Lower price to account for risk - Warranties that seller covers breach costs - Regulators want: - Full investigation - Breach remediation - Assurance of future security - May block if combined entity is too powerful

Cost Implications: - Breach response: Standard costs (+20-30 Budget) - Deal renegotiation: Millions in lost value - Regulatory review: Delays (may block deal) - Shareholder lawsuit: If breach was hidden, liability - Escrow/warranty: Seller may have to hold money as security

Communication Challenge: - Cannot disclose full breach details (acquirer has leverage) - Cannot hide breach (fraud risk) - Must negotiate simultaneously with acquirer + regulators + investigators - Media discovery complicates (stock price pressure)

Difficulty (v2.2): - Communication advances are halved (every statement is reviewed by two legal teams) - Board trust starts at 50% (deal-preservation pressure to under-respond) - Turn-3 Special Event: price renegotiation — Board trust -10 if Investigation is below 25% (the board can't answer the acquirer's questions)


Advanced Scenarios Summary

Scenario Challenge Difficulty Key Pressure
SCENARIO-01 Multi-Region Legal HIGH 3 different regulatory timelines
SCENARIO-02 Ransomware Extortion HIGH $10M decision + data publication threat
SCENARIO-03 Supply Chain Liability HIGH Vendor failure, customer trust
SCENARIO-04 Insider Threat HIGH Organizational trust collapse
SCENARIO-05 Critical Infrastructure EXTREME Lives at risk, government control
SCENARIO-06 Stock Crash HIGH Financial crisis + board pressure
SCENARIO-07 Triple Compromise EXTREME 3 simultaneous attacks, multiple ransoms
SCENARIO-08 M&A Complications EXTREME Deal value + regulatory blocks

Gameplay Recommendations

When to Use Advanced Scenarios

Use if: - Playing with experienced crisis management teams - Want sophisticated, realistic scenarios - Have time for complex decision-making (add 20-30 min per scenario) - Want to teach cascading effects of bad decisions

Skip if: - Playing with beginners (too complex) - Want simpler, faster gameplay - Limited time available - Focus is on learning basics

Scenario Selection Strategy

Start with easier scenarios: 1. SCENARIO-01 (Multi-Region): Complex but straightforward 2. SCENARIO-02 (Ransomware): Familiar from news, clear choices 3. SCENARIO-04 (Insider): Interesting organizational dynamics

Progress to harder scenarios: 4. SCENARIO-03 (Supply Chain): Adds liability complexity 5. SCENARIO-06 (Stock Crash): Financial crisis layer

Reserve for expert play: 6. SCENARIO-05 (Critical Infrastructure): Government involvement changes everything 7. SCENARIO-07 (Triple Compromise): Multiple simultaneous crises 8. SCENARIO-08 (M&A): Extreme complexity, conflicts of interest


Print Instructions

  1. Print on cardstock (250 gsm minimum)
  2. Use distinct coloring by complexity level:
  3. Orange (Advanced): SCENARIO-01 to SCENARIO-04
  4. Red (Advanced+): SCENARIO-05, SCENARIO-06
  5. Dark Red (Extreme): SCENARIO-07, SCENARIO-08
  6. Include warning icons (exclamation mark for extreme scenarios)
  7. Include difficulty rating on card
  8. Cut along dotted lines
  9. Create a "Scenario Difficulty Guide" for selecting appropriate scenarios

Possible Future Advanced Scenarios


Disaster Recovery Module: Advanced Crisis Scenarios (Expansion) Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition

cards/print-templates/tracker-sheets.md

Tracker Sheets (Print & Play)

Version: 2.2 - Playtest Edition

Print on plain A4. One Universal Sheet per table, plus the module sheet for the module you're playing. Tip: laminate and use a dry-erase marker, or move a coin/token along the tracks.


Universal Tracker Sheet (all modules)

Turn Track

Cross off as each turn ends. Circle your turn limit before starting.

 1   2   3   4   5   6   7   8   9   10   11   12   13   14   15   16
[ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]  [ ]  [ ]  [ ]  [ ]  [ ]  [ ]  [ ]

Budget Track

Start at your module's budget (Network Building 40-60 · Disaster Recovery 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150). Tick down in 5s.

150 145 140 135 130 125 120 115 110 105 100  95  90  85  80  75
 70  65  60  55  50  45  40  35  30  25  20  15  10   5   0

Reputation / Score Track (0-100)

100  95  90  85  80  75  70  65  60  55  50  45  40  35  30  25  20  15  10  5  0

Uncontained Threats (Incident Response)

 0   1   2   3   4   5
[ ] [ ] [ ] [ ] [ ] [ ]      Penalty at start of turn: -5 Budget each

Forensics Module Sheet — Progress Meters

Advance each meter per card effects. Victory thresholds marked ▲.

ATTRIBUTION      0   10   20   30   40   50   60   70   80   90▲  100
TIMELINE         0   10   20   30   40   50   60   70   80▲  90   100
ATTACK CHAIN     0   10   20   30   40   50   60   70   80▲  90   100
CHAIN OF CUSTODY 0   10   20   30   40   50   60   70▲  80   90   100

Victory check (end of game): - V1 Full Attribution: Attribution ≥90 AND Timeline ≥80 - V2 Solid Case: Timeline ≥80 AND Attack Chain ≥80 AND Chain of Custody ≥70 - V3 Partial Findings: any two meters ≥70

Investigation in flight: ____ (results arrive Turn _) Evidence collected (✓ = Analyzed, one Analyze per card):

Evidence card Documented? (+5% CoC) Analyzed?

Disaster Recovery Module Sheet

Crisis Progress Tracks

INVESTIGATION   0   10   20   30   40   50   60   70   80   90   100
REMEDIATION     0   10   20   30   40   50   60   70   80   90   100
COMMUNICATION   0   10   20   30   40   50   60   70   80   90   100

Stakeholder Trust (0-100%; any stakeholder at 0% = company collapses)

Stakeholder 100 80 60 40 20 (critical) 0 (LOSS)
Customers
Employees
Regulators
Board / Investors
Media / Public

Deadline Timeline (mark scheduled events at setup)

Turn 1 2 3 4 5 6 7 8
Scheduled event
Deadline Customers notified (recommended) Regulator penalties begin GDPR 72h — regulators notified

Multi-turn action in flight: ____ (completes Turn _)


Audit & Compliance Module Sheet — Scoring Worksheet

# Domain Stars (1-5) PASS (3★+) / FAIL (1-2★) Key gap found
1 Network Segmentation
2 Identity & Access
3 Detection & Monitoring
4 Backup & Recovery
5 Cloud Security
6 Security Operations

Result: ___ / 6 PASS — Gap penalties for follow-on modules: see module rules (total capped at -30).


Network Building Module Sheet — Score Sheet

Category Points Notes
Requirements met per requirement card
Security coverage per rules scoring table
Capability coverage per rules scoring table
Budget management per rules scoring table
TOTAL

Components placed:

Component Cost Capacity used / total

Budget remaining: ___ / starting ___