Disaster Recovery — Print & Play Bundle · v2.2 Playtest Edition
A cybersecurity board game by RetroVerse Studios · CC BY-NC-SA 4.0
Print this file (Ctrl/Cmd+P) or read on screen. Card pages print best on cardstock.
docs/HOW_TO_PLAY.md
Version: 2.2 - Playtest Edition Read time: ~15 minutes. First game: ~45 minutes.
This is the learn-to-play manual — read it once, run your first game, then use the module rules as reference during play. Exact tables and numbers live in the reference docs; this manual teaches the flow.
Incident Zero is a cybersecurity board game for classrooms and training rooms. One player is the Threat Orchestrator (TO) — part facilitator, part adversary, part narrator. Everyone else is the Blue Team: security defenders making decisions under budget and time pressure.
The game's signature rule: you get better dice odds by explaining your reasoning like a real analyst. Say "we investigate suspicious activity" and you roll flat. Say "we pull the mail gateway logs to check the sender's real IP against threat intel" and you roll at +3. Talking like a professional is literally how you win — that's the point.
There are 6 modules covering the security lifecycle. Each is a standalone 30-45 minute game; they also chain together (the outcome of one feeds the setup of the next). This manual teaches Incident Response first — it's the flagship and the best hook.
Every module runs on the same engine:
roll + modifiers ≥ 11.The setup (TO does this privately, 5 min): An attacker is inside the fictional company's network. The TO secretly builds a 3-card attack chain in kill-chain order and keeps it face-down:
Suggested first chain: T-01 Phishing Campaign (INITIAL COMPROMISE / SOCIAL ENGINEERING) → T-04 Lateral Movement via SMB (PIVOT & ESCALATE / NETWORK) → T-07 Scheduled Task Persistence (PERSISTENCE / MALWARE)
The three actions (Blue Team picks ONE per turn):
| Action | Cost | On success (roll+mods ≥ 11) |
|---|---|---|
| Investigate | 5 | 1st success on a link = the TO gives a clue. 2nd success on the same link = card revealed! |
| Deploy Defense | 10/15/25 by tier | If the card's vector AND chain step match the hidden card = revealed immediately. Partial match = defense stays on the table and gives +2 to future rolls against any link matching its vector |
| Emergency Response | 15 | No roll. Contain one already-revealed threat (removes its ongoing penalty) |
The pressure (TO applies at the START of each turn): - Active Breach Cost: -5 Budget while any chain card is still unrevealed (the breach is burning money whether you see it or not) - Uncontained Threats: -5 Budget per revealed-but-uncontained threat (revealing the next card in the chain auto-contains the previous one)
When a card is revealed, the team immediately picks ONE reward: draw 2 Defense cards, +10 Budget, or Fast-Track (next Investigate succeeds on 5+).
TURN 1. TO: "Start of turn: one attacker action is still hidden — Active Breach Cost, minus 5. Budget: 95. Something is wrong at Meridian Logistics: the helpdesk queue is full of password-reset complaints. What do you do?" Team (after discussion): "Investigate. We pull the mail gateway logs and check sender domains against our threat-intel feed — if this is phishing, the return-path won't match the display name." TO: "That's a real methodology and a real tool — +2 and +1. Roll." Rolls 9. 9+3 = 12 ≥ 11 — success. TO reads a clue from T-01: "Several employees received emails claiming to be from IT, asking them to 're-authenticate'. The link goes to a look-alike domain registered 4 days ago." (First success on this link — clue only. Budget: 95 - 5 = 90.)
TURN 2. TO: "Active Breach Cost, minus 5. Budget: 85." Team: "Keep digging on the phishing — we check the mail gateway for who clicked, and pull those workstations' proxy logs." TO: "+2, +1. Roll." Rolls 10. 13 ≥ 11 — second success on the same link. TO flips T-01 face-up: "Phishing Campaign — revealed! Three users entered credentials on the fake page. This threat is now uncontained. Choose a reward." Team takes Budget Grant: 85 - 5 + 10 = 90.
TURN 3. TO: "Two cards still hidden: Active Breach minus 5. One uncontained threat: minus 5. Budget: 80. You know how they got in — you don't yet know where they went." From here, you're on your own. (A strong play: Deploy the Network Segmentation defense — if the next hidden card is network lateral movement, vector + step match reveals it instantly and auto-contains the phishing.)
Debrief prompts: What did you spend the most on, and was it worth it? Which clue actually changed your next decision? What one defense, bought before turn 1, would have changed everything?
Chaining modules: outcomes carry forward (audit gaps raise your DR costs; an IR loss sets up DR; IR's revealed chain seeds Forensics). See Module Combinations. Full lifecycle = all six in sequence, 4-5 hours across sessions.
| You want... | Read |
|---|---|
| You're the Threat Orchestrator | The TO Guide — the role, judging justifications, per-module screens |
| Exact rules for a module | docs/rules/ — core + one file per module |
| Solo/standalone setup for any module | docs/standalone-games/ |
| Every card, indexed | cards/CARD_REFERENCE.md |
| To run a playtest and report back | docs/playtesting/ |
| Variable game length & difficulty tiers | core-rules §3a |
Roll: d20 + modifiers ≥ 11 · +2 strong justification · +1 real tool/technique named · +2 matching deployed defense (IR) IR costs: Investigate 5 · Deploy 10/15/25 · Emergency Response 15 IR start-of-turn: -5 while any card hidden · -5 per uncontained revealed threat Reveal: 2 successful Investigates on a link, or 1 full-match Deploy (vector + step) · always the earliest unrevealed card Reward per reveal (pick 1): 2 Defense cards / +10 Budget / next Investigate succeeds on 5+ Turn limit: (chain cards × 2) + 1 → 3 cards = 7 turns Budgets: NB 40-60 · DR 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150
docs/TO_GUIDE.md
Version: 2.2 - Playtest Edition Audience: anyone about to run Incident Zero — teacher, trainer, or the friend who volunteered.
The Threat Orchestrator (TO) is Incident Zero's dungeon master. You wear three hats, usually in the same minute:
If you've ever run a tabletop RPG, you already have 80% of this. The remaining 20% is the adjudication rubric in §4 — it's the part that makes this game educational rather than just thematic.
A good TO makes the game. The same scenario is flat or unforgettable depending on how you deliver clues and how honestly you judge reasoning. That's why this guide exists.
The +2/+1 modifiers are the game's teaching engine. Your consistency is what makes them meaningful.
+2 — Strong technical justification. The player explains methodology: what they'll look at, and why that would reveal or stop this specific thing. - ✅ "We pull the mail gateway logs and compare the return-path against the display-name domain — spoofed senders won't match." (mechanism stated) - ✅ "Deploy EDR because living-off-the-land attacks won't trip signature AV — we need behavioral detection." (threat-to-control logic) - ❌ "We investigate the email server thoroughly." (a location is not a method)
+1 — Real tool or technique named. Wireshark, Splunk queries, Mimikatz, a MITRE technique ID, an actual CVE. - ✅ "Check LSASS access events — that's Mimikatz behavior, T1003." - ❌ "We use our security tools." (no it isn't)
Rulings that keep it fair: - Judge the reasoning, not the vocabulary. A beginner saying "check if the email really came from who it says" in plain words has the mechanism — award the +2. A buzzword salad without a mechanism gets +0. - Consistency beats generosity. Whatever bar you set on turn 1 is the bar all game. - Escalate the bar as the group learns — by session three, "we check the SIEM" that earned +1 in session one should need a specific query. Announce the escalation openly ("you're professionals now — I want specifics"). - Expert groups ("Expert Mode"): award +2 only for named artifacts, ATT&CK technique IDs, or detection logic. This is the challenge ceiling for practitioner tables — the card math never has to change. - One player monologuing every justification? Ask a different player to give it each turn ("Sam, you're on comms — why does this matter to the regulator?").
Signs it's too easy: no failed rolls; goal in sight with 40+ Budget spare; players bored. Signs it's too hard: no progress for 3+ turns; consecutive failures; frustration replacing discussion.
| Easier (pick 1-2) | Harder (pick 1-2) |
|---|---|
| Richer clues (more specific detail per success) | Vaguer clues (accurate but terse) |
| Suggest an angle through the fiction | Expert-mode justification bar |
| Shorter chain / lower tier next game | Longer chain, expansion cards |
| Beginner budgets (module max) | Minimum budgets |
Never adjust by fudging a roll or changing a printed number mid-game — players smell it, and it teaches that outcomes are arbitrary.
| Failure | Symptom | Fix |
|---|---|---|
| The Encyclopedia | You lecture after every roll | One sentence of "why," save the rest for debrief |
| The Softie | Everyone always gets +2 | Re-read §4; require the mechanism |
| The Sphinx | Clues so cryptic nobody moves | Clues must be actionable: each should suggest at least one sensible next investigation |
| The Railroader | You steer them to your solution | Multiple paths are valid; score the outcome, not the route |
| The Accountant | You narrate numbers, not events | Lead with fiction, then state the numbers |
| The Rusher | Debrief skipped because time ran out | Protect the last 10 minutes like it's the win condition — it is |
Three rounds, in order: What happened? (players narrate, you correct only facts) → Why did it work that way? (connect two or three key moments to real-world security — this is where you finally get to lecture, briefly) → What would you do differently? (go around the table; everyone answers). Losses debrief better than wins: read any unrevealed cards' "Why This Works" text aloud — it's the payoff for losing.
docs/rules/core-rules.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Incident Zero is a modular cybersecurity board game for 2+ players designed for educational environments. One player acts as the Threat Orchestrator (TO) (the facilitator), while all other players form Blue Teams (the Defenders).
Players choose which module(s) to play based on learning objectives:
Modules can be played solo or combined in any sequence using the modifier generation procedures documented in FRAMEWORK.md and Module Combinations.
Represent attacker actions. Each card includes:
- Title: e.g., "Phishing Campaign"
- Attack Chain Step: INITIAL COMPROMISE, PIVOT & ESCALATE, PERSISTENCE, or C2 & EXFIL
- Attack Vector: SOCIAL ENGINEERING, WEB EXPLOIT, CREDENTIAL ABUSE, MALWARE, NETWORK, or DATA EXFIL
- Clue: Descriptive text for the Threat Orchestrator
- Why This Works: Educational explanation (revealed after discovery)
Deck Composition: - 12 Base Threat Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 8 Expansion Threat Cards (see cards/incident-response/expansion-deck/advanced-threats.md)
Represent security controls. Each card includes: - Title: e.g., "Multi-Factor Authentication" - Countermeasure Vector: One of the six attack vectors - Tier: BASIC (10 Budget), ADVANCED (15 Budget), or ELITE (25 Budget) - Description: What the defense does and when it applies
Deck Composition: - 24 Base Defense Cards (see cards/incident-response/core-deck/threat-defense-cards.md) - 19 Expansion Defenses (see cards/incident-response/expansion-deck/advanced-defenses.md)
Examples: - BASIC: Email Authentication Setup, User Security Training, Firewall Rules (10 Budget) - ADVANCED: Multi-Factor Authentication, EDR, Network Segmentation (15 Budget) - ELITE: Threat Hunting, Memory Forensics, Deception Technology (25 Budget)
Represent sophisticated attack techniques used in Hardening module (and potentially others).
8 Core Tactics (PT-01 to PT-08): 1. PT-01: Social Engineering - Pretexting Attack 2. PT-02: Malware Evasion - Living-off-the-Land Technique 3. PT-03: Credential Dumping - Mimikatz Attack 4. PT-04: Lateral Movement - Network Traversal 5. PT-05: Privilege Escalation - Unpatched Kernel Exploit 6. PT-06: Data Exfiltration - Unmonitored Channel 7. PT-07: Supply Chain Compromise - Trusted Software Update 8. PT-08: Insider Threat - Malicious Administrator
See cards/hardening/core-deck/pentester-tactic-cards.md for full card text, plus 8 expansion tactics (PT-09 to PT-16) in advanced-tactics.md.
Simple cards providing scenario context. Examples: - Email Server - Customer Database - Domain Controller - Web Application - Backup System - Developer Workstation
Physical Components: - One 20-sided die (d20) - Turn Tracker (paper or board, counts 1-12+) - Budget Tracker (shows 0-150+) - Reputation/Security Score Tracker (shows 0-100) - Uncontained Threats Tracker (shows 0-5) - Tokens or counters (for tracking upgrades, penalties)
Optional: - Score sheets (printable or paper) - Playbook tracking sheet - Stakeholder communication log (for Disaster Recovery)
When Used: Investigation, Defense Deployment, Negotiation, and similar actions that have uncertain outcomes.
How It Works:
1. Player announces action and parameters
2. Player rolls 1d20 (one 20-sided die)
3. Compare result to target number (usually 11+) plus modifiers
4. Success if: roll + modifiers ≥ target number
Example:
Action: Investigate email headers
Target: 11+
Roll: 7
Modifiers: +2 (technical justification) +1 (referenced Splunk)
Calculation: 7 + 2 + 1 = 10
Result: FAIL (10 < 11)
What is Budget? Abstract resource representing time, money, personnel, and tools. Spent to take actions, buy defenses, or conduct investigations.
Budget Allocation by Module: - Network Building: Start at 40-60 (by difficulty; see module rules) - Hardening: Start at 150 (or carry over from IR) - Incident Response: Start at 100 - Disaster Recovery: Start at 50 (emergency fund) - Forensics: Start at 75 - Audit & Compliance: Start at 100 (used only for optional remediation cards)
Budget Spending: - Investigate action: 5 Budget - Deploy Defense: 10/15/25 Budget (by tier) - Emergency Response (IR): 15 Budget (v2.2; was 25) - Active Breach Cost (IR, v2.2): -5 Budget at start of each turn while any chain card remains unrevealed - Harden Upgrade (Hardening): 5 Budget - Create Playbook (Hardening): 10 Budget - Crisis Action cards (DR): 5-20 Budget per card (ACTION-01 to ACTION-12; the free "Holding Statement" costs 0) - Ransom Decision (DR, ACTION-13): Pay 20 / Negotiate 5 / Refuse 0
Budget = 0: Team loses (cannot take further actions)
Exception (Disaster Recovery, v2.2): Budget floor is 0 and the free Holding Statement action remains available — DR is never lost by running out of Budget; DR's loss condition is any stakeholder trust reaching 0%.
Turns represent: Time passing in the game world (6 hours, 30 minutes, or abstract unit depending on module)
Turn Sequence: 1. Start of Turn: Penalties applied, trackers announced 2. Planning Phase: Team discusses strategy (2-3 min) 3. Action Phase: Execute chosen action, resolve rolls 4. End of Turn: Advance tracker, draw card, check events
Philosophy: In real incident response, some attacks move fast (hours), some take months. Fixed turn lengths feel unrealistic. This system adds realism without requiring complex calculations.
Default Formula: (Attack Chain Cards × 2) + 1
This gives attackers enough time to progress realistically while keeping games manageable:
| Attack Chain | Formula | Turn Count | Session Duration |
|---|---|---|---|
| 3 cards | (3 × 2) + 1 | 7 turns | 30-40 min play |
| 4 cards | (4 × 2) + 1 | 9 turns | 35-45 min play |
| 5 cards | (5 × 2) + 1 | 11 turns | 40-50 min play |
| 6 cards | (6 × 2) + 1 | 13 turns | 45-55 min play |
How to Use Default Formula: 1. Choose number of threat cards in attack chain (3, 4, 5, or 6) 2. Apply formula: (Cards × 2) + 1 = Turn Count 3. Announce turn count to Blue Team 4. Play game normally with that turn limit
Example Setup:
"I've created a 4-card attack chain. That's (4 × 2) + 1 = 9 turns. You have 9 turns to detect all four threats. Go!"
Advanced Threat Orchestrators can use a Tier + d4 system for more control and variability:
Step 1: Select Attack Complexity Tier
| Tier | Turn Base | Attack Profile | Example |
|---|---|---|---|
| TIER 1 | 5-7 | Simple & obvious | Script kiddie using public tools |
| TIER 2 | 8-10 | Standard sophistication | Organized cybercriminal group |
| TIER 3 | 11-13 | Highly sophisticated | APT with operational security |
| TIER 4 | 14-16 | Expert/Nation-state | State-sponsored group |
Step 2: Add Randomness (Optional)
Roll 1d4 for variation: - Roll 1: -1 turn (tight timeline) - Roll 2 or 3: ±0 turns (no change) - Roll 4: +1 turn (extended dwell time)
Final Turn Count = Tier Base + d4 Result
Example Advanced Setup:
"This is a TIER 2 attack (organized cybercriminals). Base is 8-10 turns. I'll roll d4 for variation... [rolls 4, +1 turn]. Final turn count: 9-11 turns."
These rules protect game balance and prevent metagaming:
The Rule: Threat Orchestrators MUST accept the random result, even if it feels impossibly tight or loose.
Why: Real incident response is unpredictable. Sometimes attacks happen faster or slower than expected.
Example Scenarios: - TIER 3 attack (11-13 base) + d4 roll of 1 = 10-12 turns (tighter than expected, but realistic) - TIER 1 attack (5-7 base) + d4 roll of 4 = 6-8 turns (easier conditions, but acceptable)
When Chaos Feels Realistic: - Tight timeline: "The attacker worked faster than expected—they had prior knowledge" - Loose timeline: "The attacker was cautious, spending weeks in reconnaissance before striking"
Implementation: Lean into the randomness as realistic incident variability.
The Rule: Blue Team CANNOT deduce the attack tier from the announced turn count. They cannot ask "Is this TIER 2?" or "Is this TIER 4?" based on how many turns they have.
Why: Real incident response doesn't come with difficulty labels. Attackers don't advertise sophistication. Players should discover complexity through gameplay (attack chain complexity, defender evasion, tool sophistication, etc.).
What Players CAN Ask: - "What are the suspicious network events?" (leads to understanding threats) - "Can we analyze the malware?" (reveals attacker sophistication through findings) - "Why did this attack succeed?" (post-game discussion)
What Players CANNOT Ask: - "Is this a TIER 2 attack?" (deriving tier from turn count) - "This looks like a TIER 1 because we have 7 turns" (meta-gaming difficulty)
Implementation: Respond to difficulty questions by saying "Investigate and find out!" Players discover sophistication through evidence, not from turn counts.
The Rule: ONLY after rolling d4, the Threat Orchestrator may apply an optional ±1 turn adjustment IF the rolled result feels genuinely unreasonable for the scenario.
When to Use (Rare): - Scenario setup is unusually complex (multiple attack vectors, coordination across systems) - Player group is new and needs slightly easier conditions - Real-world incident being taught had specific timeline constraints
When NOT to Use (Prefer Random): - "The roll feels unlucky" (accept the chaos) - "I want this exactly 10 turns" (let dice decide) - "The attack chain is long so it should take longer" (that's what TIER system handles)
Implementation: 1. Roll d4 normally 2. Announce rolled result 3. ONLY IF genuinely unreasonable, apply ±1 modifier and explain why 4. Document the override for consistency in future scenarios
Example Valid Use:
"TIER 2 base 8-10, rolled -1 = 7-9 turns. That's tight given we have 5-card attack chain, so I'm adding +1 modifier (explaining the discovery is methodical). Final: 8-10 turns."
Example Invalid Use:
"I rolled 8-10 but I want 10-12, so I'm adding +2." (NO - use the roll as-is)
For Beginners (Use Default Formula): - [ ] Choose attack chain length (3, 4, 5, or 6 cards) - [ ] Calculate: (Cards × 2) + 1 - [ ] Announce turn count - [ ] Play
For Advanced (Use Tier + d4): - [ ] Select TIER (1, 2, 3, or 4) - [ ] Announce TIER basis (not the number, just why it's that complexity) - [ ] Roll d4 for variation (hidden or public, your choice) - [ ] Calculate final turn count - [ ] Apply Rule 3 modifier if genuinely needed (rare) - [ ] Announce final turn count WITHOUT revealing tier
Default Formula: Turn Count = (Attack Cards × 2) + 1
Tier System: - TIER 1: 5-7 turns (simple) - TIER 2: 8-10 turns (standard) - TIER 3: 11-13 turns (advanced) - TIER 4: 14-16 turns (expert) - Add d4 roll: -1, 0, 0, or +1
Golden Rules: 1. Accept any roll (embrace chaos) 2. Never reveal tier to players 3. Modifier authority only when truly needed (rare)
All modules use the same modifier system for consistency:
Awarded when a player provides clear, specific reasoning for their action using real security concepts.
Examples: - "We're analyzing email headers in the mail gateway logs to identify the true sender IP and check it against threat intelligence feeds" - "We're deploying EDR on all endpoints because it can detect living-off-the-land techniques" - "We're querying our SIEM for scheduled task creation events because attackers use them for persistence"
Criteria: - References specific tools (Splunk, EDR, SIEM, etc.) - Explains methodology (why this approach works) - Shows understanding of the threat being addressed
Awarded when player references actual security tools or real attack/defense techniques.
Examples: - "We'll use Wireshark to analyze the network traffic" - "We're checking for Mimikatz usage in memory" - "We're reviewing EDR telemetry" - "We're looking for this specific CVE exploitation pattern"
Criteria: - References real tools (Wireshark, EDR, Splunk, etc.) - References real techniques (MITRE ATT&CK, specific CVEs) - Shows awareness of how things actually work
When Applied: Incident Response module only, applied at START of each turn
How It Works: 1. When a threat card is revealed, add 1 to Uncontained Threats Tracker 2. At START of each turn, deduct 5 Budget per uncontained threat 3. When next card in chain is revealed, previous threat is auto-mitigated (-1 from tracker) 4. When Emergency Response action is used (15 Budget), remove a revealed threat (-1 from tracker)
Companion rule — Active Breach Cost (v2.2): while at least one chain card remains unrevealed, deduct an additional flat -5 Budget at the start of each turn. Hidden attackers cost money too.
Purpose: Creates urgency - dwell time costs money, whether you've found the attacker yet or not. Teaches real-world incident response costs.
Example (uncontained penalty only; Active Breach Cost also applies while cards remain hidden):
Turn 1: Phishing revealed → Uncontained Threats = 1
Turn 2: START → Deduct 5 Budget (95 remaining from 100)
Turn 3: Lateral Movement revealed → Phishing auto-mitigated (Uncontained = 1)
Turn 3: START → Deduct 5 Budget
Turn 4: Emergency Response on Lateral Movement (15 Budget) → Uncontained Threats = 0
Responsibilities: - Manage game state and track turns/budget - Describe scenarios and outcomes - Roll dice when action outcomes are uncertain - Guide the narrative
During Incident Response: - Create and manage hidden attack chain - Provide clues based on successful investigations - Control Uncontained Threats penalties - Be fair but challenging
During Other Modules: - Describe threat context and defenses - Draw Pentester Tactic cards (Hardening) - Manage timeline and deadlines (Disaster Recovery) - Guide debrief questions
Universal Tips: - Explain why actions succeed or fail - Ask clarifying questions about player strategy - Balance challenge with learning - Provide constructive feedback
Responsibilities: - Discuss strategy as a team - Choose one action per turn - Justify your decisions (gain +2 modifier) - Manage budget carefully - Learn from success and failure
Key Rule: Modifiers are additive and can stack.
Example (Hardening Module, canonical formula — v2.2):
Pentester Tactic: PT-02 Living-off-the-Land (DC 13)
Defense roll = d20
+ printed bonus for the ONE defense chosen (D-08 EDR vs PT-02: +3)
+ hardening upgrades on that defense (+2 each; one upgrade: +2)
+ relevant playbook (+3)
Team rolls 8:
8 + 3 (EDR) + 2 (upgrade) + 3 (playbook) = 16 ≥ 13 = SUCCESS
Only the single chosen defense's printed bonus applies — deployed defenses do not stack with each other against one tactic.
| Length | Difficulty | Best For |
|---|---|---|
| 3 cards | Beginner | Learning mechanics, 30 min sessions |
| 4 cards | Intermediate | Standard play, 40 min sessions |
| 5 cards | Advanced | Challenge play, full kill chain |
| Budget | Difficulty | Best For |
|---|---|---|
| 60 | Hard | Resource scarcity, tough choices |
| 100 | Standard | Balanced play, most scenarios |
| 150+ | Easy | Strategic depth, multiple options |
| Turns | Difficulty | Best For |
|---|---|---|
| 8 | Hard | Time pressure, fast play |
| 10 | Standard | Balanced, most scenarios |
| 12 | Easy | Exploration, learning |
Note (v2.2): Incident Response derives its turn limit from the Variable Game Length formula — (Attack Chain Cards × 2) + 1 → 7/9/11 turns (see §3a). The table above is for modules with educator-set limits.
| Module | Primary Learning | Secondary Learning |
|---|---|---|
| Incident Response | Cyber kill chain, attack detection, investigation | Resource prioritization, incident response |
| Hardening | Defense-in-depth, layering, proactive security | Cost-benefit analysis, security architecture |
| Disaster Recovery | Crisis management, stakeholder communication | Risk assessment, incident cost |
| Network Building | Network design, asset security, architecture | Infrastructure hardening, threat modeling |
| Forensics | Digital forensics, chain of custody, attribution | Evidence handling, MITRE ATT&CK mapping |
| Audit & Compliance | Security assessment, governance, compliance | Risk identification, remediation prioritization |
| Mechanic | What It Teaches |
|---|---|
| d20 roll system | Uncertainty, risk, informed decision-making |
| Budget constraints | Resource allocation, prioritization |
| Justification bonuses | Technical reasoning, tools/techniques knowledge |
| Uncontained Threats penalty | Urgency, cost of dwell time |
| Pentester Tactics | Attacker sophistication, defense limitations |
| Playbook system | Preparation, incident response planning |
| Scoring systems | Outcome measurement, quality assessment |
Implementation: - Same setup for all teams - Teams cannot share information (Incident Response) - Score comparison determines winner (Hardening) - Reputation comparison (Disaster Recovery)
Every module should include a 5-15 minute debrief with three sections:
Too Easy Signs: - Team reveals all cards/achieves goal with 40+ budget remaining - No failed rolls - No meaningful decisions required - Team is bored
Too Hard Signs: - Team is stuck/making no progress after 5 turns - Multiple consecutive failed rolls - Team frustrated rather than challenged - No learning happening
Adjustment Options: - Easier: Provide better clues, more starting budget, fewer tactics - Harder: Less specific clues, lower budget, more tactics - Faster: Shorter turn limits, simpler scenarios - Slower: More turns, more complex scenarios
For complete card descriptions, see: - Base Threat & Defense Cards cards/incident-response/core-deck/threat-defense-cards.md - Expansion Threats cards/incident-response/expansion-deck/advanced-threats.md - Expansion Defenses cards/incident-response/expansion-deck/advanced-defenses.md - All decks indexed cards/CARD_REFERENCE.md
For complete rules on each module:
For your first game: 1. Choose a module from Module Combinations 2. Read the module-specific rules 3. Read the standalone setup guide 4. Prepare your scenario 5. Play!
For multiple modules: 1. Refer to Module Combinations for recommended sequences 2. Refer to FRAMEWORK.md for modifier generation procedures 3. Play first module, generate modifiers for next 4. Continue as desired
Incident Zero: Core Rules & Mechanics v2.1 - Balanced & Refined Edition Universal rules for all modules
docs/rules/module-disaster-recovery.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
v2.2: the card system is canonical. The Disaster Recovery game is played with 12 Crisis Action cards (plus ACTION-13), 12 Event cards, and 5 Stakeholder cards. Track advances are deterministic — dice are used only for the optional Justification bonus and ACTION-13's "no guarantee" roll. See
cards/disaster-recovery/for the cards themselves and v2.2 Playtest Edition Changes at the bottom of this document for what changed.
The Disaster Recovery Module teaches crisis management and breach response when incident detection fails. This module is typically entered after losing an Incident Response module (representing an undetected or uncontained breach) but can also be played standalone to teach DR concepts.
This is not a "second chance" to solve the attack chain. Instead, it simulates the real-world consequences of a successful breach: - Crisis management under pressure - Stakeholder communication (board, customers, regulators) - Forensic investigation with limited budget - Public disclosure and legal requirements - Incident containment and damage assessment - Financial impact and recovery costs
Incident Response: Teaches proactive threat detection and investigation Hardening (typically after an IR win): Teaches proactive defense and resilience Disaster Recovery (typically after an IR loss): Teaches crisis management, consequences, and recovery
| Component | Count | Purpose |
|---|---|---|
| Crisis Action cards (ACTION-01 to ACTION-13) | 13 | The actions teams play each turn |
| Event cards (EVENT-01 to EVENT-12) | 12 | 6 Scheduled + 6 Triggered pressure events |
| Stakeholder cards (STAKE-01 to STAKE-05) | 5 | Five trust meters (0-100%) |
| Progress tracks | 3 | Investigation %, Remediation %, Communication % (0-100%) |
| d20 | 1 | Optional Justification bonus; ACTION-13 "no guarantee" roll |
| Track/trust sheets | — | See print pack (coming) — a piece of paper works fine |
Money mapping: 1 Budget ≈ $50K. All dollar figures (fines, ransoms) use this mapping unless marked narrative-only.
Trigger: Team lost the Incident Response module by either: - Reaching Turn 10 with unrevealed cards remaining, OR - Running out of Budget (reaching 0)
Outcome: The attack chain proceeded undetected. The threat actor succeeded.
(Standalone play: skip Incident Response and start here — see the standalone guide.)
The Threat Orchestrator reveals the entire unrevealed attack chain to the Blue Team: - All hidden Threat cards are shown - The complete attack progression is explained - The attacker's objectives are stated
Example Revelation: "Your security team was unable to detect the attack in time. The attacker successfully: 1. Sent a phishing email (SOCIAL ENGINEERING) 2. Harvested credentials (CREDENTIAL ABUSE) 3. Moved laterally across your network (NETWORK) 4. Dumped admin credentials (CREDENTIAL ABUSE) 5. Exfiltrated your entire customer database (DATA EXFIL)
The attacker is now threatening to publish the data unless you pay $1M (20 Budget). You have 72 hours before regulators must be notified."
Budget floor is 0. Budget can never go negative; the free Holding Statement action is always available.
Set the three progress tracks to 0%: Investigation, Remediation, Communication.
Set the five stakeholder trust meters to their starting values: Customers 50%, Regulators 60%, Media 40%, Board 70%, Executives 80%. Meters clamp to 0-100%.
Build the Event Timeline: place the 6 Scheduled events on their turns (EVENT-01 Turn 2, EVENT-04 Turn 3, EVENT-03 + EVENT-09 Turn 5, EVENT-02 Turn 6, EVENT-12 Turn 7). Lay the 6 Triggered events face-up where their conditions can be read.
Ransom scenarios: note the ransom deadline (default: start of Turn 5) and put ACTION-13 where the team can see it.
Reputation is NOT tracked during play. It is computed once, at game end (see Final Scoring). During play, the three tracks and five trust meters are the whole state.
The game lasts 8 turns. Each turn is one crisis phase of ~6-12 hours of narrative time:
| Turn | Narrative Time | Key Deadline |
|---|---|---|
| 1 | Detection +6h | Internal discovery |
| 2 | +12h | Internal legal/executive escalation complete (narrative; this was mislabeled a "regulatory deadline" in v2.1 — the regulatory anchor is GDPR 72h) |
| 3 | +18h | Board Meeting (EVENT-04) |
| 4 | +24h | Day 1 ends |
| 5 | +36h | Customer notification recommended (ACTION-09); default ransom deadline (ACTION-13) |
| 6 | +48h | Regulatory escalation begins (EVENT-02): -10 Regulator trust per un-notified turn |
| 7 | +60h | Government subpoena (EVENT-12) |
| 8 | +72h | GDPR 72-hour deadline: ACTION-10 must be complete. Game ends. |
All deadlines on every card use this clock. There are no 12-hour, 24-hour, 30-day, or 60-day timers anymore; the former 30/60-day deadlines are deferred final-scoring consequences (see Final Scoring).
(Exception: EVENT-08 Second Breach extends play to Turn 10, once per game. Scoring deadlines do not move.)
Each turn:
1. START OF TURN - Complete any in-flight multi-turn action that finishes now (apply its track advance) - Reveal and resolve this turn's Scheduled event - Check all un-fired Triggered events; resolve any whose condition is met - Apply decay/deadline penalties (e.g., Customer decay, Regulator -10/turn from Turn 6 if un-notified)
2. TEAM ACTION (2-3 minutes discussion) - Play ONE Crisis Action card: pay its Budget cost, apply its track advance - Multi-turn actions (Duration N): the card occupies your action slot only on the turn started; its advance completes at the start of the Nth following turn. Only one multi-turn action in flight at a time. - Or take the free Holding Statement (0 Budget, +5% Communication; always available, counts as a Communication action for decay purposes) - Optional Justification bonus (v2.2): if the team gives a strong, specific technical justification for the action, the TO may allow a d20 roll — on 11+, that action's track advance gains +5%. This is the only d20 in track advancement, and it is a bonus, never a gate. - ACTION-13 (Ransom Decision) may be declared at any time before the ransom deadline; it does not use the action slot and happens once per game.
3. APPLY STAKEHOLDER EFFECTS - Apply the played action's trust effects (table below)
4. END OF TURN - Check the loss condition: any stakeholder trust at 0% = immediate loss ("the company collapses") - Advance the turn counter
| Action | Trust effects when completed |
|---|---|
| ACTION-01 Forensic Analysis | Regulators +10, Board +5 |
| ACTION-02 Threat Hunting | — |
| ACTION-03 Log Analysis | — |
| ACTION-04 Third-Party IR | Regulators +15, Board +15 |
| ACTION-05 Patch & Harden | Executives +5 |
| ACTION-06 Containment | Executives +5 |
| ACTION-07 Rebuild from Backup | Executives +5, Customers +5, Board +5 |
| ACTION-08 Credential Reset | Executives +5 |
| ACTION-09 Customer Notification | Customers +15, Media +5 |
| ACTION-10 Regulatory Notification | Regulators +20 |
| ACTION-11 Media Management | Media +20, Customers +10 |
| ACTION-12 Board Communication | Board +20, Executives +5 |
| ACTION-13 Ransom Decision | — (scoring effects only) |
| Holding Statement (free) | — (stops Customer decay) |
Where a Stakeholder card lists a range (e.g., "+2-5%"), this table is the single authoritative value (v2.2).
| Deadline | Turn | If missed |
|---|---|---|
| Internal legal/executive escalation | End of Turn 2 | Narrative only |
| Customer notification (ACTION-09) | End of Turn 5 (recommended) | Customer trust -10 per later turn; EVENT-05 Class Action may trigger; never notified = -15 Reputation at final scoring |
| Ransom decision (ACTION-13) | Start of Turn 5 (default; +2 turns if NEGOTIATE) | Treated as REFUSE; data-publication event fires |
| Regulatory notification (ACTION-10) — GDPR 72h | End of Turn 8 (escalating from Turn 6) | Regulator trust -10 per turn from Turn 6 while un-notified; never notified = -20 Reputation at final scoring (deferred fine) |
If the scenario includes a ransom/extortion demand, the team must resolve ACTION-13: Ransom Decision before the ransom deadline (default: start of Turn 5). Exactly one option, once per game:
| Option | Cost | Reputation (at scoring) | Effect |
|---|---|---|---|
| PAY | 20 Budget (≈ $1M) | -15 | Data-publication event skipped/cancelled; +20% Remediation immediately. No guarantee: TO rolls d20 — on 1-5 the keys don't work: no refund, +0% Remediation (publication stays cancelled). |
| NEGOTIATE | 5 Budget | -5 | Data-publication event delayed by 2 turns (default: to start of Turn 7). |
| REFUSE | 0 Budget | 0 (-20 if the data-publication event later triggers) | No payment, no delay. |
Data-publication event: if the team has not PAID by the (possibly delayed) deadline, the attacker publishes the stolen data: Customer trust -20, Media trust -15, plus the REFUSE scoring penalty if applicable.
Corrected facts (v2.2): payment may violate OFAC sanctions if the threat actor is sanctioned; many insurers restrict or exclude ransom coverage. The FBI discourages payment. Payment guarantees nothing.
Decision Framework for Teams: - Small company, limited budget: may pay (can't afford extended downtime) - Large company, security-conscious: often refuses (sets precedent, funds crime) - Critical infrastructure: may negotiate with government assistance - Regulated industry / sanctioned actor: payment may be legally impossible
Educational Purpose: the ethical and practical considerations of ransom decisions; no "right" answer — it depends on risk tolerance.
Immediate Costs (paid from DR Budget, floor 0): - Crisis Action card costs (see the Crisis Action deck) - Event costs (subpoena legal fees, regulatory fine, lost revenue) - Ransom payment or negotiation (ACTION-13)
Deferred/Ongoing Costs (narrative-only; discuss in debrief): - Credit monitoring, legal costs, long-tail regulatory exposure, customer churn - Real-world scale: GDPR fines run up to €20M or 4% of global turnover, whichever is higher; total breach costs typically run to millions
The scoring system captures deferred consequences as Reputation penalties (below) rather than as a parallel money ledger.
Reputation is computed once, at game end. The three tracks and five trust meters drive play; Reputation (0-100) is the outcome measure.
FINAL REPUTATION = 100, then apply:
1. TRACK RESULTS (per track: Investigation, Remediation, Communication)
50-100% -> -0
25-49% -> -5
10-24% -> -10
0-9% -> -20
2. STAKEHOLDER TRUST (average of the five meters at game end)
70%+ -> +5
50-69% -> 0
30-49% -> -10
below 30 -> -20
3. DECISION & EVENT MODIFIERS (each applies at most once)
+5 Customers notified transparently by end of Turn 5 (ACTION-09)
+3 per completed quality investigation (ACTION-01 or ACTION-04),
MAX +6 total per game
-5 ACTION-13 NEGOTIATE (only one ACTION-13
-15 ACTION-13 PAY modifier can apply)
-20 ACTION-13 REFUSE and data was published
-10 EVENT-05 Class Action triggered
-10 EVENT-06 Regulatory Fine triggered
-10 EVENT-08 Second Breach triggered
-15 Customers never notified in-game (deferred statutory violation)
-20 Regulators never notified in-game (deferred GDPR fine)
4. CLAMP the result to 0-100.
| Final Reputation | Outcome | Interpretation |
|---|---|---|
| 85-100 | Exemplary | Crisis well-managed; stakeholder trust preserved; the organization recovers |
| 70-84 | Managed | Adequate response; some damage; recovery likely |
| 55-69 | Damaged | Poor response; significant customer loss; regulatory scrutiny; recovery uncertain |
| 40-54 | Mismanaged | Major reputational/financial damage; leadership changes likely |
| Below 40 | Catastrophic | Company survival in question; CEO likely replaced |
Below 20% trust is a CRITICAL warning state only — it triggers escalation events but is never itself a loss. The old "<30% trust = loss" rule is removed.
Default: the Reputation computation starts at 100 for every game. As a clearly-labelled optional difficulty variant, start the computation lower for bigger breaches:
| Scope | Records | Start computation at |
|---|---|---|
| Small (Beginner) | ~50K | 100 (default) |
| Medium (Intermediate) | ~500K | 90 |
| Large (Advanced) | 5M+ | 80 |
Scenario: "The Ransomware Nightmare" — customer database encrypted and exfiltrated (500K records), ransom demand $1M (20 Budget), publication threatened. Standalone play, default difficulty. Budget 50.
| Turn | Action (cost) | Tracks | Events & trust |
|---|---|---|---|
| 1 | ACTION-02 Threat Hunting (8); justification roll 14 → +5% | Inv 20 | — |
| 2 | ACTION-06 Containment (8) | Rem 15 | EVENT-01: no media action yet → Media 40→30. Exec +5 → 85 |
| 3 | ACTION-10 Notify Regulators (8); declare ACTION-13 NEGOTIATE (5) | Comm 10 | Customer decay (no Communication action completed yet at start of turn): Customers 50→40. Regulators 60→80. EVENT-04 unprepared (no ACTION-12) → Board 70→50. Publication delayed to start of Turn 7 |
| 4 | ACTION-05 Patch & Harden (10) | Rem 35 | No more decay (ACTION-10 completed). Exec +5 → 90 |
| 5 | ACTION-09 Customer Notification (10) | Comm 30 | Customers 40→55, Media 30→35. EVENT-03 passed → +5 Rep at scoring. (Private company: skip EVENT-09) |
| 6 | Holding Statement (0) | Comm 35 | EVENT-02: already notified → Regulators +5 → 85. EVENT-08 check: Rem 35 ≥ 30 → does not fire |
| 7 | Holding Statement (0) | Comm 40 | Data published (unpaid): Customers 55→35, Media 35→20. EVENT-12: Exec 90→80, Budget 1→0, Inv +5% → 25 |
| 8 | Holding Statement (0) | Comm 45 | Media at 20 (not below 20) → EVENT-07 does not fire. Game ends |
Budget spent: 8+8+8+5+10+10 = 49 of 50 (then -5 subpoena fees, floored at 0).
Final state: Tracks: Inv 25, Rem 35, Comm 45. Trust: Customers 35, Regulators 85, Media 20, Board 50, Executives 80 → average 54.
Scoring: - Tracks: Inv 25 (-5), Rem 35 (-5), Comm 45 (-5) → -15 - Trust average 54 → 0 - Modifiers: +5 (transparent customer notification by Turn 5), -5 (NEGOTIATE) → 0 - Final Reputation: 100 - 15 = 85 → Exemplary (barely!)
Lessons visible in the example: the team skipped board prep (Board Meeting hurt), never bought media management (publication nearly triggered a frenzy at Media 20), and threading the ransom deadline with NEGOTIATE bought exactly enough time to notify everyone first. One different choice and this is a 70s game.
Mandatory-path check (v2.2): the cheapest mandatory beats — investigate (ACTION-03: 5), notify regulators (ACTION-10: 8), notify customers (ACTION-09: 10), remediate (ACTION-08: 6) — cost 29 Budget. A stronger path (ACTION-02 + ACTION-10 + ACTION-09 + ACTION-05 + ACTION-06) costs 44. Both fit a 50-Budget team with room for events.
See the worked example above. Key tension: ransom decision vs. notification deadlines.
Attack chain revealed: disgruntled employee → lateral movement → Mimikatz → insider data theft. Data already for sale on dark web (no ransom demand — skip ACTION-13).
Suggested line of play (Budget 50-60): 1. Turn 1: ACTION-03 Log Analysis (5) — establish the insider's access timeline 2. Turn 2: ACTION-01 Forensic Analysis (12, Duration 2) — evidence for HR/legal/prosecution 3. Turn 3: ACTION-10 Regulatory/Law-Enforcement Notification (8) — FBI referral 4. Turn 4: (forensics completes: +25% Inv, +3 at scoring) ACTION-08 Credential Reset (6) 5. Turn 5: ACTION-09 Customer Notification (10) — transparent disclosure 6. Turn 6-8: ACTION-06 Containment (8), then Holding Statements
Teaching point: insider threats hit Executive and Board trust hardest; internal communication matters as much as external.
Attack chain revealed: compromised vendor update → lateral movement → cloud API token theft → DNS tunneling exfiltration → persistent C2.
Teaching point: teams quickly realize they cannot finish remediation by Turn 8 — ACTION-07 rebuilds and ACTION-04 third-party IR eat the clock and the budget. That is the lesson: some incidents transition to months-long response. Expect a "Damaged"-tier result even from good play, and debrief why (complex incidents score lower on the same rubric).
After DR Phase completion, run a structured debrief:
Incident Response Skills: - Prioritize crisis response actions under pressure - Coordinate across teams and stakeholders - Make decisions with incomplete information - Understand forensic investigation requirements
Business Impact Understanding: - Recognize financial costs of breaches (not just immediate costs) - Understand regulatory & legal consequences - Learn about reputational damage and customer churn - Recognize insurance and recovery programs
Stakeholder Management: - Communicate effectively with diverse audiences (customers, regulators, media) - Balance transparency with liability reduction - Manage expectations during crisis - Follow regulatory notification requirements (the GDPR 72-hour anchor)
Long-term Recovery: - Incident doesn't end when systems are "fixed" - Organizational recovery takes months/years - Prevention is far cheaper than response - Importance of pre-incident preparation
For Teams That Had Better Detection (Lost Incident Response by Turn 9-10): - "If you'd detected the attack one turn earlier, what would have changed?" - "What one additional control would have triggered detection?" - "How does dwell time (time from compromise to detection) affect these costs?"
For Teams That Lost Quickly (Out of budget by Turn 5-6): - "Why did your investigation fail so quickly?" - "Which budget-saving action actually cost you more in the long run?" - "What would aggressive early investigation have prevented?"
For All Teams: - "How much did this incident actually cost (total financial + reputational)?" - "If detection during Incident Response saves 80% of these costs, what should you invest in detection?" - "How would a pre-prepared incident response plan have helped?" - "What's the value of having a Disaster Recovery plan before you need it?"
Average Breach Costs (2023 data; narrative-only): - Detection Time (Dwell Time): 206 days average - Cost per Compromised Record: $4.50 (varies by industry) - Total Average Cost: $4.5M (for 1M records) - Cost Breakdown: Detection & Analysis 25%, Containment & Eradication 20%, Recovery & Restoration 20%, Legal & Regulatory 15%, PR & Communications 10%, Customer Notifications 10%
Common Mistakes in Real Incidents: - Poor forensic planning → Extended investigation costs - Late customer notification → Regulatory fines + brand damage - Inadequate remediation → Re-compromise (in-game: EVENT-08) - Ransom payment → Funds future attacks; doesn't guarantee data deletion - No incident plan → Chaos and poor decisions
Success Factors in Real Incidents: - Pre-incident planning and training - Clear communication protocols - Rapid forensic investigation - Transparent customer communication - Thorough remediation - Post-incident review and improvements
If a team scores 85+ (Exemplary), they can attempt a post-game Recovery Analysis: spend 5 remaining Budget for a deep forensic review, identify the systemic failure that allowed the Incident Response loss, and describe the detection investment that would have caught it. Models "turning crisis into opportunity."
Disaster Recovery doesn't necessarily end the incident: Week 2 threat hunting discovers a backdoor still active; Week 4 the attacker tries again; Week 8 a new variant appears. Replay DR with the Second Breach event pre-armed. Teams learn that some breaches have long tails.
Add negotiation flavor at debrief: Did the insurer cover this incident? (Many policies restrict or exclude ransom coverage.) How much forensic evidence was preserved for lawsuits? Could you have negotiated the regulatory settlement?
Incident Response teaches: "Catch attacks early" Hardening (after a win) teaches: "Prevent future attacks" Disaster Recovery (after a loss) teaches: "Plan for what you'll miss"
Together, they create a complete incident response curriculum: 1. Detection & Investigation (Incident Response) 2. Hardening & Prevention (Hardening — win path) 3. Crisis Management & Recovery (Disaster Recovery — loss path)
Students learn that even with perfect security, breaches can happen. The question isn't "Will we be attacked?" but "When we're attacked, will we respond effectively?"
Disaster Recovery Phase for Incident Zero For teams that experience the cost of failed detection Emphasizing that response quality matters as much as prevention
docs/standalone-games/disaster-recovery.md
Version: 2.2 - Playtest Edition Duration: 30-45 minutes Players: 1 Threat Orchestrator + 2-4 Blue Team members Best For: Crisis management training, incident response procedures, stakeholder communication
v2.2: the card system is canonical. You play the 13 Crisis Action cards against the 12 Event cards while managing 5 Stakeholder trust meters, over one 8-turn clock. Track advances are deterministic; dice appear only in the optional Justification bonus and ACTION-13's "no guarantee" roll. This guide uses the exact same rules, numbers, and tier table as
docs/rules/module-disaster-recovery.md.
The Disaster Recovery Module teaches players how to manage a real breach — investigation, remediation, stakeholder communication, and the ransom decision — under extreme time and budget pressure.
Players balance three progress tracks (Investigation %, Remediation %, Communication %) and five stakeholder trust meters while an event timeline turns up the heat. At the end, a single Reputation score (0-100) is computed from what they achieved.
From cards/disaster-recovery/:
- 13 Crisis Action cards (ACTION-01 to ACTION-13)
- 12 Event cards (6 Scheduled + 6 Triggered)
- 5 Stakeholder cards (trust meters)
- A d20, and paper for the tracks/trust/budget (tracker sheets: see print pack, coming)
Money mapping: 1 Budget ≈ $50K.
The breach has already succeeded. The Threat Orchestrator reveals the full attack chain:
"Your organization has experienced a significant data breach. Here's what happened:
Attack Chain: 1. Phishing Campaign → Employee clicked malicious link 2. Credential Harvesting → Login credentials captured 3. VPN Access → Attacker gained network access 4. Lateral Movement → Access to production servers 5. Database Exfiltration → 500,000+ customer records stolen
Current Status: - Breach detected; the crisis clock starts now - Attacker demanding $1M ransom (= 20 Budget) or they publish the data - Media starting to ask questions - You have 8 turns (72 narrative hours) to respond
Your Challenge: Investigate the breach, remediate it, and communicate with stakeholders — before the deadlines land."
| Turn | Time | Scheduled Event / Deadline |
|---|---|---|
| 1 | +6h | Internal discovery |
| 2 | +12h | EVENT-01 First Media Coverage; internal legal/executive escalation complete (narrative) |
| 3 | +18h | EVENT-04 Board Meeting |
| 4 | +24h | — |
| 5 | +36h | EVENT-03 Customer Notification Window (ACTION-09 recommended by end of this turn); EVENT-09 Shareholder Pressure (public companies); default ransom deadline (ACTION-13) |
| 6 | +48h | EVENT-02 Regulatory 72h Deadline — escalation begins (-10 Regulator trust per un-notified turn) |
| 7 | +60h | EVENT-12 Government Subpoena (medium/large breaches) |
| 8 | +72h | GDPR 72-hour deadline: ACTION-10 must be complete. Game ends. |
Lay the 6 Triggered events (EVENT-05, -06, -07, -08, -10, -11) face-up where their trigger conditions can be read. Each fires once, when its condition is met.
Default: the final Reputation computation starts at 100. For harder games:
| Scope | Records | Start computation at |
|---|---|---|
| Small (Beginner) | ~50K | 100 (default) |
| Medium (Intermediate) | ~500K | 90 |
| Large (Advanced) | 5M+ | 80 |
1. START OF TURN - Complete any in-flight multi-turn action that finishes now (apply its track advance) - Resolve this turn's Scheduled event; check all un-fired Triggered events - Apply decay/deadline penalties (Customer decay from Turn 3 if no communication yet; Regulator -10/turn from Turn 6 if un-notified) - Announce remaining Budget, tracks, and trust meters
2. BLUE TEAM'S TURN (2-3 minutes discussion) - Play ONE Crisis Action card: pay its cost, apply its track advance — or take the free Holding Statement (0 Budget, +5% Communication) - Multi-turn actions (Duration N): occupy the action slot only on the turn started; the advance completes at the start of the Nth following turn; one in flight at a time - Justification bonus (optional): strong, specific technical justification → roll d20; on 11+ that action's advance gains +5% - ACTION-13 Ransom Decision may be declared at any time before the ransom deadline; it does not use the action slot (once per game)
3. APPLY STAKEHOLDER EFFECTS - Apply the action's trust effects (table below)
4. END OF TURN - Any stakeholder trust at 0% = immediate loss ("the company collapses") - Advance the turn counter; the game ends after Turn 8 (Turn 10 if EVENT-08 fired)
| Card | Category | Cost | Advance | Duration | Trust effects |
|---|---|---|---|---|---|
| ACTION-01 Forensic Analysis | Investigation | 12 | +25% Inv | 2 turns | Regulators +10, Board +5 |
| ACTION-02 Threat Hunting | Investigation | 8 | +15% Inv | 1 turn | — |
| ACTION-03 Log Analysis | Investigation | 5 | +10% Inv | 1 turn | — |
| ACTION-04 Third-Party IR | Investigation | 20 | +30% Inv, +20% Rem | 3 turns | Regulators +15, Board +15 |
| ACTION-05 Patch & Harden | Remediation | 10 | +20% Rem | 1 turn | Executives +5 |
| ACTION-06 Containment | Remediation | 8 | +15% Rem | 1 turn | Executives +5 |
| ACTION-07 Rebuild from Backup | Remediation | 15 | +25% Rem | 2 turns | Exec +5, Cust +5, Board +5 |
| ACTION-08 Credential Reset | Remediation | 6 | +12% Rem | 1 turn | Executives +5 |
| ACTION-09 Customer Notification | Communication | 10 | +20% Comm | 1 turn | Customers +15, Media +5 |
| ACTION-10 Regulatory Notification | Communication | 8 | +10% Comm | 1 turn | Regulators +20 |
| ACTION-11 Media Management | Communication | 12 | +15% Comm | 1 turn | Media +20, Customers +10 |
| ACTION-12 Board Communication | Communication | 9 | +12% Comm | 1 turn | Board +20, Executives +5 |
| ACTION-13 Ransom Decision | Crisis Decision | 0/5/20 | Pay: +20% Rem | Instant | — (scoring only) |
| Holding Statement (free rule) | Communication | 0 | +5% Comm | 1 turn | — (stops Customer decay) |
Declare before the ransom deadline (default: start of Turn 5). One option, once per game:
Data-publication event: if the team has not PAID by the (possibly delayed) deadline: Customer trust -20, Media trust -15, plus the REFUSE penalty if applicable.
Facts: payment may violate OFAC sanctions if the actor is sanctioned; many insurers restrict or exclude ransom coverage; the FBI discourages payment; payment guarantees nothing.
At game end, compute Reputation:
FINAL REPUTATION = 100 (or 90/80 with the scope variant), then apply:
1. TRACK RESULTS (per track: Investigation, Remediation, Communication)
50-100% -> -0 | 25-49% -> -5 | 10-24% -> -10 | 0-9% -> -20
2. STAKEHOLDER TRUST (average of the five meters)
70%+ -> +5 | 50-69% -> 0 | 30-49% -> -10 | below 30% -> -20
3. DECISION & EVENT MODIFIERS (each at most once)
+5 Customers notified transparently by end of Turn 5
+3 per quality investigation completed (ACTION-01 or ACTION-04), MAX +6 per game
-5 / -15 / -20 ACTION-13: Negotiate / Pay / Refuse-and-published
-10 each: EVENT-05 Class Action, EVENT-06 Regulatory Fine, EVENT-08 Second Breach
-15 customers never notified in-game
-20 regulators never notified in-game
4. CLAMP to 0-100.
Worked example: see the module rules (docs/rules/module-disaster-recovery.md) — a 50-Budget team runs ACTION-02, -06, -10, NEGOTIATE, -05, -09 plus Holding Statements and finishes Inv 25 / Rem 35 / Comm 45, trust average 54 → Reputation 85.
| Final Reputation | Outcome | Interpretation |
|---|---|---|
| 85-100 | Exemplary | Crisis well-managed; stakeholder trust preserved; the organization recovers |
| 70-84 | Managed | Adequate response; some damage; recovery likely |
| 55-69 | Damaged | Poor response; significant customer loss; regulatory scrutiny; recovery uncertain |
| 40-54 | Mismanaged | Major reputational/financial damage; leadership changes likely |
| Below 40 | Catastrophic | Company survival in question; CEO likely replaced |
Loss precedence: (1) any stakeholder trust at 0% at any point = immediate loss; (2) otherwise, the tier table above. Below-20% trust is a critical warning state only.
PART 1: INVESTIGATION QUALITY (2 min) 1. "Did you investigate adequately? What's the total impact?" 2. "What important information did you miss?" 3. "Would better forensics have changed your decisions?"
PART 2: COMMUNICATION STRATEGY (2 min) 1. "How did you prioritize stakeholder notifications?" 2. "What would you communicate differently?" 3. "Did transparency help or hurt your reputation?"
PART 3: FINANCIAL DECISIONS (2 min) 1. "Did you pay the ransom? Why or why not?" 2. "What was your total incident cost (Budget spent × $50K, plus deferred penalties)?" 3. "Would different decisions have saved money?"
PART 4: RESPONSE QUALITY (2 min) 1. "If you replayed, what would you do first?" 2. "Which stakeholder relationship was hardest to preserve?" 3. "What was your biggest crisis decision?"
PART 5: REAL-WORLD CONNECTION (2 min) 1. "Compare your spending to actual breaches (Target, Equifax, etc.)" 2. "What's harder: prevention or response?" 3. "Why is it so expensive to manage a real breach?"
Small Breach (Beginner) — 50,000 records, opportunistic attacker, no subpoena (skip EVENT-12), total real-world loss ~$1-5M (narrative).
Medium Breach (Intermediate) — 500,000 records, ransom-seeking criminal group, full event timeline, total loss ~$5-50M (narrative).
Large Breach (Advanced) — 5M+ records, sophisticated attacker, use the scope variant (start computation at 80), total loss ~$50M+ (narrative).
Scope: 50,000 customer passwords exposed. Attacker: opportunistic; ransom demand small — try REFUSE and manage the fallout. Budget: 50. Focus: communicating bad news without panic. Lesson: even small breaches require careful stakeholder management.
Scope: 500,000 records via a compromised vendor. Budget: 50 (+ any carried over from prior modules). Focus: ACTION-04 Third-Party IR shines here; multi-stakeholder communication. Lesson: vendor relationships complicate crisis response.
Scope: 5M+ records; attacker won't negotiate (ACTION-13 offers REFUSE only). Use the scope variant (start at 80). Focus: damage control; accept a "Damaged" tier as a good result. Lesson: some breaches are unwinnable; response quality still matters.
If you scored 70+ (Managed or better): - Continue to Audit & Compliance Module → validate response procedures post-breach - Transition to Hardening Module → prevent similar breaches
If you scored below 70: - Discuss what went wrong - Replay the scenario with different decisions - Study real breach case studies (Target, Equifax, SolarWinds)
Standalone: play again with a different breach type or attacker profile
cards/disaster-recovery/Disaster Recovery Module - Standalone Play Guide Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/disaster-recovery/core-deck/crisis-action-cards.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Crisis Action Cards represent the specific actions an organization can take during a breach to investigate, remediate, and respond. Teams deploy ONE Crisis Action each turn to advance three objectives: Investigation %, Remediation %, and Communication % (each tracked 0-100%). Track advances are deterministic — no dice are required to advance a track.
Money mapping: 1 Budget ≈ $50K. Dollar figures on cards (fines, ransom) use this mapping unless marked narrative-only.
Crisis Actions are organized into three categories, plus one decision card:
Enable faster containment
Remediation Actions (4 cards)
Rebuild infrastructure
Communication Actions (4 cards)
Maintain customer trust
Crisis Decision (1 card)
Some actions list Duration N (N greater than 1). The rule, defined once:
Duration N: the action occupies your action slot only on the turn it is started; its track advance completes and is applied at the start of the Nth following turn. Only one multi-turn action may be in flight at a time. While it is in flight, you may take single-turn actions on later turns, but you may not start another multi-turn action.
Example: ACTION-01 (Duration 2) started on Turn 2 applies its +25% Investigation at the start of Turn 4.
The signature d20 stays as an optional bonus only (it never gates track advancement): when a team plays an Action card with a strong, specific technical justification, the Threat Orchestrator may allow a d20 roll. On 11+, that action's track advance gains +5%. One roll per action card played.
This is a standing rule, not a numbered card. On any turn, instead of playing an Action card, the team may issue a Holding Statement (internal update / brief public status statement):
Category: Investigation Cost: 12 Budget Investigation Advance: +25% Duration: 2 turns (multi-turn action)
Description: Forensic experts analyze compromised systems to determine: - What data was accessed - What was exfiltrated - How long attacker had access - What attack techniques were used - Evidence for legal proceedings
Key Details: - Requires shutting down compromised system (removes it from operation) - Requires forensics team (may need external consultants) - Takes time (2 turns minimum) - Provides detailed evidence - Essential for legal action and regulatory compliance
When to Use: - Need definitive answer about breach scope - Legal action is likely - Compliance investigation required - Regulatory agency involved
Risk if Not Done: - Cannot determine full extent of damage - Cannot properly remediate (may miss persistence) - No evidence for law enforcement - Regulatory penalties for inadequate investigation
Regulatory Impact: - Most breach notification laws require "reasonable investigation" - Forensics evidence may be required for regulatory compliance - Better investigation = stronger regulatory defense
Team Trade-off: - Expensive (12 Budget) - Takes time (2 turns) - But provides high investigation % - Provides evidence for future action
Category: Investigation Cost: 8 Budget Investigation Advance: +15% Duration: 1 turn
Description: Security team proactively searches logs and systems for: - Other compromised systems - Lateral movement indicators - Persistence mechanisms - Command & Control communication - Evidence of data staging
Key Details: - Requires SIEM with good logging (if available) - Team searches for attack indicators - Can discover secondary compromises - Lower cost than forensics but less detailed - Faster than forensics (1 turn)
When to Use: - Need to know if compromise spread - Want to find hidden persistence - Time is critical (forensics takes 2 turns) - Budget is constrained
Risk if Not Done: - May not discover all compromised systems - Attacker may maintain hidden access - May lose evidence over time (logs rotate) - Compliance investigation may be incomplete
Regulatory Impact: - Shows good faith investigation effort - Supports "reasonable investigation" standard - Evidence of proactive security posture
Team Trade-off: - Cheaper than forensics (8 Budget) - Faster (1 turn vs. 2) - Less detailed evidence - Good balance of cost/time/effectiveness
Category: Investigation Cost: 5 Budget Investigation Advance: +10% Duration: 1 turn
Description: Security team reviews available logs (firewall, VPN, Windows Event Log, application logs) to understand: - When breach was discovered - What access was gained - What systems were accessed - What data might have been accessed - Timeline of attack
Key Details: - Requires logs (must have been collecting logs) - Basic analysis of existing logs - Cheapest investigation action - Quick (1 turn) - Limited by log retention/quality - Can be done internally (no external consultants)
When to Use: - Budget is extremely tight - Need quick preliminary understanding - Good logging infrastructure in place - Time is critical
Risk if Not Done: - No understanding of what happened - Cannot determine scope or impact - Regulatory agencies upset about lack of investigation - Potential for incomplete response
Regulatory Impact: - Minimal investigation (may not satisfy "reasonable investigation") - Shows attempt at investigation - Not sufficient as sole investigation method
Team Trade-off: - Cheapest investigation (5 Budget) - Fastest (1 turn) - Limited effectiveness - Often insufficient alone
Category: Investigation (+ Remediation) Cost: 20 Budget Investigation Advance: +30% (+ Remediation +20%) Duration: 3 turns (ongoing engagement)
Description: Bring in external incident response firm (forensics, incident handling, remediation specialists). They conduct: - Comprehensive forensic investigation - Breach scope determination - Remediation recommendations - Expert testimony for legal proceedings - Regulatory coordination
Key Details: - Very expensive (20 Budget) - Takes significant time to mobilize - Provides expert guidance and credibility - Provides evidence acceptable in court - Supports regulatory defense - Multi-turn (Duration 3): occupies your action slot only on the turn started; see Multi-Turn Actions rule
When to Use: - Major breach with legal implications - Need expert investigation for court - Regulatory agency demands expertise - Internal team cannot handle scope - Liability is significant
Benefits: - Expert investigation (higher quality) - Evidence for prosecution - Regulatory/legal credibility - Expert testimony available - Ongoing support (3 turns)
Risk if Not Done: - Without external expertise, breach response may be insufficient - Legal case may fail (poor evidence) - Regulatory penalties for inadequate investigation - May miss critical evidence
Regulatory Impact: - High credibility with regulators - Better legal defense - Shows serious investigation effort - External experts satisfy "reasonable investigation"
Team Trade-off: - Most expensive (20 Budget) - Long commitment (Duration 3 — advances apply at the start of the 3rd following turn) - But provides significant investigation + remediation - Provides external expertise and credibility - While in flight you may take single-turn actions, but no other multi-turn action (v2.2 Multi-Turn rule)
Category: Remediation Cost: 10 Budget Remediation Advance: +20% Duration: 1 turn
Description: Apply patches to the vulnerability that was exploited: - Install OS patches (if vulnerability is OS-level) - Update application (if vulnerability is app-level) - Change default credentials - Remove backdoor accounts - Harden network configuration
Key Details: - Targets the specific vulnerability that was exploited - Must know what vulnerability was exploited (requires investigation) - Can be done on specific systems or organization-wide - Prevents same attack from succeeding again - Does NOT remove attacker if already inside
When to Use: - Know what vulnerability was exploited - Want to prevent re-exploitation - Can apply patch without affecting business - Quick remediation needed
Risk if Not Done: - Attacker can re-exploit same vulnerability - Breach scope may grow - Regulatory agency upset about lack of remediation - Risk of breach happening again
Regulatory Impact: - Shows timely remediation - Prevents recurrence - Good compliance posture - Regulatory agencies expect patching
Team Trade-off: - Moderate cost (10 Budget) - Quick (1 turn) - Fixes vulnerability - But only prevents re-exploitation, doesn't remove attacker
Category: Remediation Cost: 8 Budget Remediation Advance: +15% Duration: 1 turn
Description: Remove compromised systems from network to: - Stop attacker from using compromised system for lateral movement - Prevent attacker from exfiltrating more data - Preserve compromised system for forensics - Limit blast radius of compromise
Key Details: - Disconnect compromised system from network (kill network) - System is still available for forensics - Stops active attacker in that system - Does NOT affect attacker if they're in other systems - May impact business (systems are unavailable)
When to Use: - Know which systems are compromised - Want to stop active attacker - Can tolerate system downtime - Attacker is still actively in system
Risk if Not Done: - Attacker continues using compromised system - Lateral movement continues - More data exfiltration - Attacker may install additional backdoors
Regulatory Impact: - Shows swift containment action - Demonstrates incident response - Limits liability (stopped attacker) - Good compliance posture
Team Trade-off: - Moderate cost (8 Budget) - Quick (1 turn) - Stops active attacker - But impacts business operations
Category: Remediation Cost: 15 Budget Remediation Advance: +25% Duration: 2 turns (restore + verification)
Description: Rebuild compromised systems from backup: - Restore system from clean backup (pre-compromise) - Apply patches to prevent re-exploitation - Restore only clean data - Verify system is clean before returning to production - Monitor restored system for attacker re-entry
Key Details: - Requires backup of system (must exist and be clean) - Takes time to restore (2 turns minimum) - Removes all attacker artifacts - Ensures system is truly clean - Most reliable remediation method - Dependent on backup quality/testing
When to Use: - Backup exists and is verified clean - System compromise is extensive - Want to ensure complete attacker removal - Business can tolerate 2-turn rebuild
Risk if Not Done: - Attacker may maintain persistence (if system not rebuilt) - Restore from backup with attacker in it = no improvement - Compliance may require clean rebuild
Regulatory Impact: - Shows complete remediation - Demonstrates thorough approach - Better regulatory outcome - Shows commitment to clean recovery
Team Trade-off: - Higher cost (15 Budget) - Takes time (2 turns) - But provides complete remediation - Most reliable method
Category: Remediation Cost: 6 Budget Remediation Advance: +12% Duration: 1 turn
Description: Revoke and reset all potentially compromised credentials: - Reset passwords for all accounts that touched compromised system - Revoke tokens/API keys - Reset VPN credentials - Update database passwords - Revoke certificates/SSH keys
Key Details: - Prevents attacker from using stolen credentials - Must do if credentials were compromised (stolen by Mimikatz, etc.) - Can cause business disruption (users locked out) - Quick and important - Often overlooked but critical
When to Use: - Credentials were likely compromised - Attacker had access to credential stores - Need to prevent attacker re-entry via stolen credentials - Quick credential reset is possible
Risk if Not Done: - Attacker can use stolen credentials to re-enter - Lateral movement using stolen creds continues - Breach is not truly contained - Regulatory violation (allowing unauthorized access)
Regulatory Impact: - Essential remediation step - Shows understanding of attack chain - Prevents credential reuse attacks - Regulatory expectation
Team Trade-off: - Low cost (6 Budget) - Quick (1 turn) - Important and often overlooked - Can cause short-term business disruption
Category: Communication Cost: 10 Budget Communication Advance: +20% Duration: 1 turn (but affects later turns) Deadline (v2.2): Recommended by end of Turn 5. If not completed by then: Customer trust -10 at the start of each later turn; if never completed in-game: -15 Reputation at final scoring (deferred statutory violation).
Description: Notify customers that their data may have been breached: - Determine which customers were affected - Prepare notification message - Send via email, mail, or phone - Provide information about what was accessed - Offer credit monitoring/identity protection if applicable - Field customer questions/complaints
Key Details: - Required by breach notification laws ("without unreasonable delay" in California and most U.S. states; GDPR requires notifying individuals without undue delay when risk is high) - Can be very expensive if many customers affected - Notification can cause loss of customer trust - Early notification shows good faith - Delayed notification shows company doesn't care - Impacts Customers stakeholder directly
Regulatory Requirements: - Most laws require notification "without unreasonable delay"; some states set specific outer limits - California: notify without unreasonable delay; CCPA statutory damages fuel class actions - Notification must include: - What information was accessed - Recommended actions - Contact information - Free credit monitoring (sometimes)
When to Use: - Customer data was accessed in breach - Regulatory requirement to notify - Want to rebuild customer trust - Transparency is important
Risk if Not Done: - Regulatory violation (fines, penalties) - Customer discovery + lawsuits - Loss of customer trust (worse than notification) - Reputation damage from cover-up worse than from breach
Regulatory Impact: - Many states REQUIRE customer notification - California law, GDPR, and other state laws all require notification; CCPA statutory damages fuel class actions - Without notification = regulatory violation + fines - Proactive notification = better regulatory relationship
Team Trade-off: - Moderate cost (10 Budget) - Can be done quickly (1 turn) - Required by law (usually) - Impacts Customers stakeholder (see Stakeholder Cards) - Must be done eventually
Category: Communication Cost: 8 Budget Communication Advance: +10% Duration: 1 turn (but ongoing for months) Deadline (v2.2): Must be completed by end of Turn 8 (the GDPR 72-hour anchor). Escalating penalty from Turn 6: if not yet completed, Regulator trust -10 at the start of Turns 6, 7, and 8. If never completed in-game: -20 Reputation at final scoring (deferred fine).
Description: Notify appropriate regulatory agencies: - Contact FBI/Secret Service (federal crimes) - Contact state attorney general (breach notification) - Contact relevant sector regulator (HHS for healthcare, OCC for banking, etc.) - Contact DHS (if critical infrastructure) - Coordinate with law enforcement
Key Details: - Required by law in many cases (healthcare, financial, etc.) - May trigger investigation by law enforcement - Can help recover stolen data - Provides some legal protection - Can delay prosecution (if they're investigating) - Required before public disclosure in some cases
Regulatory Requirements: - EU data (GDPR): Must notify the supervisory authority within 72 hours; fines up to €20M or 4% of global turnover, whichever is HIGHER (narrative-only figure) - Healthcare (HIPAA): Must report to HHS Office for Civil Rights - Financial (GLBA/FFIEC): Must report to banking regulators - Payment cards (PCI-DSS): Must report to card networks - Critical infrastructure: Must report to DHS/CISA
When to Use: - Data breach triggers regulatory requirement - Want law enforcement assistance - Want to establish good faith investigation - Legal team recommends it
Risk if Not Done: - Regulatory violation if required - Law enforcement cannot assist - Company appears to be hiding breach - Regulators may impose penalties
Regulatory Impact: - Required in many cases (legal obligation) - Shows cooperation with authorities - May help recover stolen data - Better regulatory relationship - May reduce penalties (self-reporting)
Team Trade-off: - Moderate cost (8 Budget) - Ongoing (involves multiple turns of coordination) - Required by law (usually) - Impacts Regulators stakeholder (see Stakeholder Cards) - Must be done in most cases
Category: Communication Cost: 12 Budget Communication Advance: +15% Duration: 1 turn (but ongoing for days/weeks)
Description: Manage media coverage and public perception: - Prepare press statement - Contact media proactively - Manage social media response - Coordinate CEO/executive messaging - Defend company reputation - Provide accurate information to media
Key Details: - Can heavily influence public perception - Proactive messaging better than reactive - Media coverage can amplify damage - Poor communication = reputation disaster - Good communication = company "handled it well" - HR firm may be needed (crisis PR)
When to Use: - Breach is significant (likely to attract media) - Company has public reputation risk - Customers are media-aware (B2C more than B2B) - Proactive messaging is possible
Risk if Not Done: - Media covers story with only attacker's perspective - Reputation damage from poor response - Stock price may drop (if public company) - "No comment" looks like company is hiding - Social media amplifies negative coverage
Impact if Done Well: - "Company handled breach responsibly" - Trust is maintained or recovered - Stock price less impacted - Reputation damage is contained - Customer retention better
Team Trade-off: - Higher cost (12 Budget) - Ongoing (multiple turns) - Impacts Media/Board stakeholder (see Stakeholder Cards) - Critical for public companies - Can significantly affect perception
Category: Communication Cost: 9 Budget Communication Advance: +12% Duration: 1 turn (but triggers Board Meeting - see Event Cards)
Description: Inform board of directors and shareholders about breach: - Prepare incident briefing for board - Present forensics findings - Discuss regulatory/legal implications - Present remediation plan and costs - Discuss risk mitigation going forward - Field board questions
Key Details: - Board must be informed promptly - Disclosure may be required (SEC rules if public company) - Board has fiduciary duty to inform shareholders - Lawsuit risk if board hides information - Board can fire CEO if response is poor - Must include implications for D&O insurance
Regulatory Requirements: - SEC disclosure rules (if public company) - State corporate law (fiduciary duty) - Insurance requirements (D&O coverage)
When to Use: - Board needs to understand breach - Public company (SEC disclosure likely needed) - Board questions will come (better to be prepared) - Shareholder lawsuits are likely
Risk if Not Done: - Board discovers breach from media = crisis of confidence - Shareholder lawsuits for non-disclosure - SEC investigation for disclosure violations - CEO may be fired (looked like hiding information) - Stock price crashes when discovered
Impact if Done Well: - Board is informed and supportive - No surprise when disclosed - Board can defend company (if sued) - Stock market takes news in stride - Organized response is possible
Team Trade-off: - Moderate cost (9 Budget) - Critical for public companies - Impacts Board stakeholder (see Stakeholder Cards) - Required by law (usually) - Complete before EVENT-04 (Board Meeting, scheduled Turn 3) to be "prepared" (see Event Cards)
Category: Crisis Decision Cost: Varies by option (see below) Timing: Play at any time before the ransom deadline (default: start of Turn 5). Playing this card does NOT use your turn's action slot — it is a decision made in addition to your normal action. Once per game. If no decision is made by the deadline, the team is treated as having chosen REFUSE. Used only in scenarios with a ransom/extortion demand.
Choose exactly ONE option:
Option A — PAY - Cost: 20 Budget (≈ $1M at 1 Budget ≈ $50K) - Reputation: -15 at final scoring - Effect: The data-publication event is skipped/cancelled. +20% Remediation immediately (decryption keys restore systems). - No guarantee: The Threat Orchestrator rolls a d20. On 1-5, the keys don't work — no refund, and the Remediation advance is +0% instead of +20%. (The publication event stays cancelled; the attacker took the money and moved on.) - Flavor: "Criminals are not a customer-service organization."
Option B — NEGOTIATE - Cost: 5 Budget (negotiator/counsel fees) - Reputation: -5 at final scoring - Effect: The data-publication event is delayed by 2 turns (default: from start of Turn 5 to start of Turn 7). Buys time to notify stakeholders and remediate before publication.
Option C — REFUSE - Cost: 0 Budget - Reputation: No immediate change. If the data-publication event triggers later: -20 Reputation at final scoring. - Effect: No payment, no delay. Focus budget on investigation, remediation, and communication.
Data-Publication Event (reference): In ransom scenarios, if the team has not PAID by the ransom deadline (default: start of Turn 5; +2 turns if NEGOTIATE), the attacker publishes stolen data: Customer trust -20, Media trust -15 (and the REFUSE scoring penalty above, if applicable).
Legal & practical facts (corrected v2.2): - Payment may violate OFAC sanctions if the threat actor is sanctioned; many insurers restrict or exclude ransom coverage - Law enforcement (FBI) discourages payment — it funds and incentivizes future attacks - Payment does not guarantee data deletion or working keys
Educational Purpose: There is no "right" answer — payment is a genuine trade-off between operational recovery, ethics, legality, and reputation.
| Card | Category | Cost | Advance | Duration | Key Benefit |
|---|---|---|---|---|---|
| ACTION-01 | Investigation | 12 | +25% | 2 turns | Expert forensics |
| ACTION-02 | Investigation | 8 | +15% | 1 turn | Find hidden compromises |
| ACTION-03 | Investigation | 5 | +10% | 1 turn | Quick log analysis |
| ACTION-04 | Investigation | 20 | +30% Inv / +20% Rem | 3 turns | Third-party expertise |
| ACTION-05 | Remediation | 10 | +20% | 1 turn | Fix vulnerability |
| ACTION-06 | Remediation | 8 | +15% | 1 turn | Contain attacker |
| ACTION-07 | Remediation | 15 | +25% | 2 turns | Clean rebuild |
| ACTION-08 | Remediation | 6 | +12% | 1 turn | Revoke access |
| ACTION-09 | Communication | 10 | +20% | 1 turn | Notify customers (by Turn 5) |
| ACTION-10 | Communication | 8 | +10% | 1 turn | Notify regulators (by Turn 8) |
| ACTION-11 | Communication | 12 | +15% | 1 turn | Media management |
| ACTION-12 | Communication | 9 | +12% | 1 turn | Board notification (before Turn 3) |
| ACTION-13 | Crisis Decision | 0/5/20 | Pay: +20% Rem | Instant | Ransom decision (once per game) |
| Free | Communication | 0 | +5% | 1 turn | Holding Statement (standing rule, not a card) |
Budget floor (v2.2): Budget can never go below 0. If you cannot afford any card, the free Holding Statement is always available.
Teams must balance three objectives (each goes 0-100%): - Investigation %: Understand scope and impact - Remediation %: Fix vulnerability and remove attacker - Communication %: Manage stakeholders and public perception
Investigation-Heavy Strategy: - Spend early turns investigating (ACTION-01, ACTION-02, ACTION-04) - Then remediate with full knowledge - Advantage: Know exactly what happened - Disadvantage: Takes time, attacker may still be active
Remediation-Heavy Strategy: - Contain and clean immediately (ACTION-06, ACTION-07, ACTION-08) - Investigate after containment - Advantage: Stop attacker quickly - Disadvantage: May miss something, incomplete cleanup
Balanced Strategy: - Do some investigation + some remediation each turn - Use cheaper actions (ACTION-03, ACTION-06, ACTION-08) - Save expensive actions for critical moments - Advantage: Steady progress on all three objectives
Early Communication: - Notify stakeholders early (ACTION-09, ACTION-10, ACTION-12) - Show proactive response - Maintain trust and credibility
Late Communication: - Wait until full picture is known - Risk: Stakeholders discover from media - Risk: Looks like hiding information
Selective Communication: - Notify regulators (required by law) - Delay customer notification (if allowed) - Focus on internal response first
With 50 Budget, the mandatory crisis beats are always affordable:
Cheapest mandatory path: 5 + 8 + 10 + 6 = 29 Budget. A stronger balanced path (ACTION-02 + ACTION-10 + ACTION-09 + ACTION-05 + ACTION-06) costs 44 Budget — still within 50.
Disaster Recovery Module: Crisis Action Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/disaster-recovery/core-deck/event-cards.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Event Cards represent external events that occur during the crisis—some predictable deadlines, some escalations triggered by the team's situation. Events create time pressure and complicate the response.
Money mapping: 1 Budget ≈ $50K. Dollar figures are narrative unless converted to Budget on the card.
The game lasts 8 turns. Each turn is one crisis phase of roughly 6-12 hours of narrative time:
| Turn | Narrative Time | Anchor |
|---|---|---|
| 1 | Detection +6h | Internal discovery |
| 2 | +12h | Legal/executive escalation complete |
| 3 | +18h | Board meets |
| 4 | +24h | Day 1 ends |
| 5 | +36h | Customer notification recommended deadline; default ransom deadline |
| 6 | +48h | Regulatory escalation begins |
| 7 | +60h | Legal/government pressure peaks |
| 8 | +72h | GDPR 72-hour regulatory notification deadline — game ends |
All deadlines in this module use this clock. There are no other timers.
At setup: 1. Place the 6 Scheduled events face-down on the timeline at their printed turns. 2. Place the 6 Triggered events face-up in a reference row where everyone can read their trigger conditions.
Each turn (start of turn): 1. Reveal and resolve any Scheduled event placed on this turn. 2. Check every un-fired Triggered event's condition; resolve any whose condition is now met. 3. Each event fires once per game.
Trust changes from events clamp to 0-100%. Budget changes clamp to a floor of 0.
Scheduled: Turn 2 Type: Discovery
Description: A news outlet publishes a story about the breach: - "Company Suffers Data Breach" headline - Unnamed source gives details - Story spreads on social media - Phone starts ringing with reporter calls
Resolution: - If ACTION-11 (Media Management) was completed before this turn: Media trust +5 (proactive framing works) - Otherwise: Media trust -10 (the story runs without your side)
Duration: Ongoing narrative (media coverage continues)
Scheduled: Turn 3 Type: Governance
Description: The board of directors holds an emergency meeting to review breach scope, investigation progress, remediation plan, budget, and executive performance.
Resolution: - If ACTION-12 (Board Communication) was completed before this turn: Board trust +10 (prepared briefing) - Otherwise: Board trust -20 (the board learns details from the news, not from you)
Team Preparation: - Should have forensics/investigation underway - Should have preliminary findings - Should have a communication plan - CEO should be briefed
Scheduled: Turn 5 Type: Deadline checkpoint
Description: Counsel confirms customer notification should not wait any longer. Real-world laws require notification "without unreasonable delay" — in this game, the recommended deadline is end of Turn 5.
Resolution: - If ACTION-09 (Customer Notification) is completed by end of Turn 5: no penalty. If it was framed transparently, +5 Reputation at final scoring. - If not: Customer trust -10 now and at the start of each later turn until ACTION-09 is completed. - Deferred consequence: if customers are never notified in-game, -15 Reputation at final scoring (the statutory notification window is missed after the game ends).
Scheduled: Turn 5 (public companies only — skip for private companies) Type: Governance
Description: Shareholder activists contact the board: demand explanations, threaten a proxy fight, and give interviews about leadership failure.
Resolution: - If ACTION-12 (Board Communication) has been completed: Board trust -5 (pressure is absorbed) - Otherwise: Board trust -15
Scheduled: Turn 6 (escalation begins; final deadline end of Turn 8) Type: Deadline
Description: The GDPR-style 72-hour clock is running out. Regulators expect notification of the breach (ACTION-10) before the clock expires at end of Turn 8.
Resolution: - If ACTION-10 (Regulatory Notification) is already completed: Regulator trust +5 (early, cooperative notification) - If not: Regulator trust -10 now and at the start of each later turn (Turns 6, 7, 8) until ACTION-10 is completed. - Deferred consequence: if regulators are never notified in-game, -20 Reputation at final scoring (deferred fine — GDPR fines run up to €20M or 4% of global turnover, whichever is HIGHER; narrative-only figure).
Scheduled: Turn 7 (medium/large breaches — skip for small-scope games) Type: Legal
Description: A subpoena arrives (FBI, state attorney general, or a congressional inquiry): turn over evidence, provide executive testimony, comply with the investigation.
Resolution: - Budget -5 (legal fees; floor 0) - Executive trust -10 (executives in the spotlight) - Investigation +5% (compelled evidence-sharing accelerates fact-finding)
Opportunity: an independent investigation can validate a good-faith response; law enforcement may help recover evidence.
Trigger: ACTION-09 not completed by end of Turn 5, OR Customer trust below 20% at the start of any turn. Type: Legal
Description: A law firm recruits customers and files a class action: "Jane Doe et al. vs. [Company Name]" — failure to protect data, failure to notify in a timely way, damages plus attorney fees.
Effects: - Customer trust -15 - Board trust -10 - -10 Reputation at final scoring
Team Response: Cannot be undone — only mitigated by rebuilding trust for the rest of the game.
Trigger: Regulator trust below 20% at the start of any turn. (If regulators are never notified in-game, the deferred -20 Reputation from EVENT-02 applies at scoring instead — do not double-apply.) Type: Regulatory
Description: A regulator announces a penalty for inadequate security and delayed cooperation.
Effects: - Budget -10 (≈ $500K; floor 0) - Board trust -10 - -10 Reputation at final scoring
Real-world scale (narrative-only): turnover-based regimes drive the largest penalties — GDPR fines can reach €20M or 4% of global turnover, whichever is HIGHER.
Trigger: Media trust below 20% at the start of any turn, OR no Communication-category action completed by end of Turn 3. Type: Communication
Description: Major outlets pick up the story: national coverage, "Massive Data Breach" headlines, social media amplification.
Effects: - Media trust -20 - Customer trust -15 - Board trust -10
Team Response: ACTION-11 (Media Management) plus visible, transparent leadership.
Trigger: At the start of Turn 6, Remediation is below 30% AND ACTION-07 (Rebuild) has not been completed. Type: Escalation — once per game
Description: While responding to the first breach, investigators discover another compromised data store — the attacker maintained hidden persistence.
Effects: - The game extends by +2 turns (once per game): play now runs to Turn 10. Scoring deadlines do NOT move — the regulatory deadline remains end of Turn 8. - Investigation -30% (new breach invalidates part of your picture) - Customer trust -20, Regulator trust -15, Media trust -10, Board trust -15 - Board releases +10 emergency Budget - -10 Reputation at final scoring
Prevention: ACTION-07 (Rebuild), ACTION-04 (Third-Party IR), or strong Remediation progress by Turn 6.
Trigger: Customer trust below 40% at the start of Turn 5 or any later turn. Type: Business
Description: A competitor launches a "Trust us with your data" campaign aimed at your customers.
Effects: - Customer trust -10 - Budget -5 (lost revenue; floor 0)
Team Response: Customer communication and visible security improvements; trust can rebuild over the remaining turns.
Trigger: Executive trust below 30% at the start of any turn. Type: Internal
Description: A key executive (CISO, CTO, General Counsel, or CFO) resigns mid-crisis, citing "personal reasons" — really: "I don't trust this response."
Effects: - Executive trust -10 - Board trust -10 - While Executive trust remains below 30%, the Justification bonus (optional +5% d20) is unavailable — leadership vacuum
Prevention: Regular internal communication, visible progress, board support.
| Event | Kind | Turn / Trigger | Core Effect |
|---|---|---|---|
| EVENT-01 First Media Coverage | Scheduled | Turn 2 | Media +5 if ACTION-11 done, else -10 |
| EVENT-04 Board Meeting | Scheduled | Turn 3 | Board +10 if ACTION-12 done, else -20 |
| EVENT-03 Customer Notification Window | Scheduled | Turn 5 | -10 Customer/turn if ACTION-09 late; never = -15 Rep |
| EVENT-09 Shareholder Pressure | Scheduled | Turn 5 (public co.) | Board -5 (prepared) or -15 |
| EVENT-02 Regulatory 72h Deadline | Scheduled | Turn 6 (deadline Turn 8) | -10 Regulator/turn while un-notified; never = -20 Rep |
| EVENT-12 Government Subpoena | Scheduled | Turn 7 (med/large) | Budget -5, Exec -10, Investigation +5% |
| EVENT-05 Class Action | Triggered | Customers un-notified after T5 or trust <20% | Cust -15, Board -10, -10 Rep |
| EVENT-06 Regulatory Fine | Triggered | Regulator trust <20% | Budget -10, Board -10, -10 Rep |
| EVENT-07 Media Frenzy | Triggered | Media <20% or silent through T3 | Media -20, Cust -15, Board -10 |
| EVENT-08 Second Breach | Triggered | T6: Remediation <30%, no rebuild | +2 turns (once), Inv -30%, trust hits, -10 Rep |
| EVENT-10 Competitor Advantage | Triggered | Customer trust <40% from T5 | Cust -10, Budget -5 |
| EVENT-11 Executive Resignation | Triggered | Executive trust <30% | Exec -10, Board -10, no Justification bonus |
| Deadline | Turn | If missed |
|---|---|---|
| Internal legal/executive escalation | End of Turn 2 | Narrative only (relabeled from the old "12-hour regulatory deadline" — the regulatory anchor is GDPR 72h) |
| Customer notification (ACTION-09) recommended | End of Turn 5 | Customer trust -10/turn; EVENT-05 may trigger; never notified = -15 Reputation at scoring |
| Ransom decision (ACTION-13) | Start of Turn 5 (default; +2 turns if NEGOTIATE) | Treated as REFUSE; data-publication event fires |
| Regulatory notification (ACTION-10) | End of Turn 8 (escalating from Turn 6) | Regulator trust -10/turn from Turn 6; never notified = -20 Reputation at scoring |
Former "30-day"/"60-day" deadlines from v2.1 are re-expressed as the deferred final-scoring consequences above — they no longer exist as separate timers.
Standard 8-Turn Disaster Recovery Game:
| Turn | Scheduled Event | Typical Focus |
|---|---|---|
| 1 | — | Investigate, contain |
| 2 | First Media Coverage | Investigation, media prep |
| 3 | Board Meeting | Board briefed, regulators notified early |
| 4 | — | Remediation |
| 5 | Customer Notification Window + Shareholder Pressure | Customer notification, ransom decision |
| 6 | Regulatory 72h Deadline (escalation begins) | Regulators notified (if not already), remediation |
| 7 | Government Subpoena | Final remediation, communication |
| 8 | — (game ends at +72h) | Wrap-up actions, final scoring |
Disaster Recovery Module: Event Timeline Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/disaster-recovery/core-deck/stakeholder-cards.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Stakeholder Cards represent the key groups affected by a data breach. Each stakeholder has a trust/satisfaction level (0-100%) that changes based on team actions. Stakeholders can escalate if not managed (triggering Events and budget costs).
All older thresholds ("<30% trust = loss", "keep above 30/40/50 to win") are removed in v2.2.
Stakeholder Type: External Primary Concern: Data privacy and service availability Trust Meter: Starts at 50% Decay (v2.2): From Turn 3 onward, if the team has completed no Communication-category action (the free Holding Statement counts), Customer trust -10 at the start of each turn. This does not stack with the Turn-5 notification penalty (EVENT-03) — apply one, not both, per turn. Below 20% = CRITICAL warning state (may trigger EVENT-05).
Description: The customers whose data was breached. They want to know: - What data was accessed - Whether it was encrypted - What they should do (change password, watch credit) - Whether the company is protecting them - Whether to switch providers
Behavior: - High Trust (70%+): Continue using service, minor PR impact - Medium Trust (40-70%): Some customer loss, but company is "handling it" - Low Trust (<40%): Customer exodus, lawsuits, regulatory investigation - Critical (<20%): Mass churn, bankruptcy risk, acquisition/collapse
What Affects Trust: - Increases Trust: - Customer Notification (ACTION-09): +15% - Public statement about patch/fix: +5% - Free credit monitoring offer: +10% - Quick response time: +5% per turn if investigating
Goal: - Ideally maintain above 50% for a positive outcome (trust feeds the final Reputation computation)
Loss (v2.2 single rule): - Customer trust at 0% = company collapses (immediate loss) - Narrative: mass churn, lawsuits, bankruptcy/acquisition
Crisis Actions That Help: - ACTION-09 (Customer Notification): +15% trust - ACTION-11 (Media Management): +10% trust - Any remediation action that shows progress: +2-5%
Special Events: - If trust drops too low, class action lawsuit filed (see Event Cards) - If trust stays high, customer retention and recovery possible - Media coverage affects customer trust (see Stakeholder: Media)
Stakeholder Type: Government/Legal Primary Concern: Compliance with breach notification laws Trust Meter: Starts at 60% Escalation (v2.2): If ACTION-10 is not completed, Regulator trust -10 at the start of each turn from Turn 6 (see EVENT-02). Below 20% = CRITICAL warning state (triggers EVENT-06 Regulatory Fine).
Description: Government agencies that regulate data privacy: - State attorneys general (breach notification laws) - Federal regulators (healthcare, financial, etc.) - International regulators (GDPR if any EU customers) - Law enforcement (FBI, Secret Service)
Behavior: - High Confidence (70%+): Voluntary cooperation, no penalties - Medium Confidence (40-70%): Investigation, possible fines - Low Confidence (<40%): Aggressive investigation, significant fines - Critical (<20%): Criminal prosecution, company shut down
What Affects Regulatory Confidence: - Increases Confidence: - Regulatory Notification (ACTION-10): +20% - Prompt customer notification: +10% - Third-party incident response (ACTION-04): +15% - Forensics evidence: +10% - Proactive remediation: +5%
Regulatory Requirements Vary (real-world flavor; the in-game clock is GDPR 72h = end of Turn 8): - GDPR (EU): Notify supervisory authority within 72 hours; fines up to €20M or 4% of global turnover, whichever is HIGHER - California: Notify without unreasonable delay; CCPA statutory damages fuel class actions - HIPAA: Notification within 60 days (healthcare) - Sector-Specific: Finance, healthcare have stricter rules
Goal: - Maintain regulatory confidence above 50% - Comply with the Turn-8 notification requirement
Loss (v2.2 single rule): - Regulator trust at 0% = company collapses (immediate loss) - Narrative: crippling fines, criminal prosecution, license revoked
Crisis Actions That Help: - ACTION-10 (Regulatory Notification): +20% confidence - ACTION-04 (Third-party IR): +15% confidence - ACTION-05, ACTION-07 (Remediation): +5-10%
Special Events: - If notification deadline missed: Regulatory Penalty Event - If confidence drops too low: Fine Assessment Event - If properly handled: Regulatory Cooperation Event (reduced penalties)
Stakeholder Type: External / Communication Primary Concern: Newsworthy story (bigger = bigger problem) Trust Meter: Starts at 40% (media is naturally skeptical) Escalation: Escalates based on company response quality
Description: Media outlets, journalists, bloggers, social media. Media decides whether breach is: - Small tech story (1 article) - Major business news (multiple outlets, days) - National news (major outlets, weeks) - International scandal (global coverage)
Behavior: - Positive Coverage (70%+): "Company handled breach well", trust maintained - Neutral Coverage (40-70%): Matter-of-fact reporting, some concern - Negative Coverage (<40%): "Company slow to respond", "Cover-up suspected" - Scandal (<20%): Major negative coverage, "Company failed customers"
What Affects Media Coverage: - Positive Factors: - Proactive media statement (ACTION-11): +20% - Quick notification (customers notified by end of Turn 5): +15% - CEO takes responsibility: +10% - Transparent communication: +10% - Third-party validation: +5%
Media Impact on Business: - Positive media → customers stay, suppliers trust company - Negative media → customers leave, stock price drops, suppliers question - Scandal media → business collapse possible, bankruptcy risk
Goal: - Maintain media trust above 40% - Frame narrative as "company handled responsibly" - Minimize negative coverage (below 20% = CRITICAL warning; triggers EVENT-07)
Loss (v2.2 single rule): - Media trust at 0% = company collapses (immediate loss) - Narrative: negligence narrative sticks, stock crash, consumer boycott
Crisis Actions That Help: - ACTION-11 (Media Management): +20% coverage - ACTION-09 (Customer Notification): +5% (transparency) - ACTION-12 (Board Communication): +5% (if credible)
Special Events: - If company is silent: "Media Frenzy" Event (increased coverage) - If company responds well: "Positive Coverage" Event (mitigates damage) - If executives hide: "Cover-up Narrative" Event (major damage)
Stakeholder Type: Internal / Governance Primary Concern: Company liability and fiduciary duty Trust Meter: Starts at 70% (board is inherently supportive initially) Escalation: Drops if response is inadequate; may fire CEO
Description: Board of directors (and C-level executives if private company). Board must: - Fulfill fiduciary duty to shareholders - Authorize major spending (crisis response can be very expensive) - Decide on disclosure (SEC rules if public) - Decide on executives' future (fire/retain CEO) - Manage shareholder relationships
Behavior: - High Confidence (70%+): Board is supportive, authorizes spending, defends executives - Medium Confidence (40-70%): Board is questioning, scrutinizes spending, considers changes - Low Confidence (<40%): Board is critical, may fire CEO, considers restructuring - Critical (<20%): Board votes to remove management, sell company, or file bankruptcy
What Affects Board Confidence: - Increases Confidence: - Board Notification (ACTION-12): +20% - Professional incident response: +15% - Quick containment: +10% - Good regulatory relationship: +10% - Transparent communication: +5%
Board Decision Points (v2.2 clock): - Turn 3: Board Meeting (EVENT-04; ACTION-12 should be done before it) - Board decides if CEO retains confidence - Major spending approvals (forensics, lawyers, PR) - Disclosure decisions
Restructuring discussions
Turn 8: End-game assessment
Goal: - Maintain board confidence above 50% - Board authorizes necessary spending - Executives retain their positions (below 20% = CRITICAL warning state)
Loss (v2.2 single rule): - Board trust at 0% = company collapses (immediate loss) - Narrative: CEO fired, forced sale, bankruptcy filing
Crisis Actions That Help: - ACTION-12 (Board Notification): +20% confidence - ACTION-04 (Third-party IR): +15% (shows professional response) - ACTION-01, ACTION-07 (Forensics/Rebuild): +5-10%
Special Events: - Turn 3: Board Meeting Event (first assessment) - If confidence drops low: "CEO Removed" Event (new CEO, game becomes harder) - If well-managed: "Board Confidence Maintained" Event (positive modifier)
Stakeholder Type: Internal / Management Primary Concern: Job security and company survival Trust Meter: Starts at 80% (executives are naturally supportive initially) Escalation: Drops if response is chaotic; may resign or sabotage
Description: C-level executives (CEO, CTO, CFO, CISO, General Counsel) who must: - Make critical decisions under pressure - Coordinate crisis response - Handle media inquiries - Present to board - Ensure company continues operating - Manage their own careers/reputations
Behavior: - High Morale (70%+): Executives are focused, coordinated, decisive - Medium Morale (40-70%): Executives are stressed, some disagreements, slower decisions - Low Morale (<40%): Executives may resign, infighting, poor decisions - Critical (<20%): Executive exodus, chaos, no leadership
What Affects Executive Morale: - Increases Morale: - Clear incident response plan: +15% - Professional guidance (consultants): +10% - Regular communication/updates: +5% per turn - Board support: +10% - Progress on containment: +5%
Executive Departures Risk: - If morale drops too low, key executives resign - Each resignation removes their expertise from future decisions - Replacement executives are less effective initially - Crisis becomes harder to manage
Goal: - Maintain executive morale above 50% - Prevent key executive resignations (below 30% triggers EVENT-11; below 20% = CRITICAL warning state) - While Executive trust is below 30%, the Justification bonus is unavailable (see EVENT-11)
Loss (v2.2 single rule): - Executive trust at 0% = company collapses (immediate loss) - Narrative: executive exodus, leadership vacuum, chaos
Crisis Actions That Help: - Regular communication: +5% per turn - Professional response team: +10% - Regulatory/customer progress: +5% - Board confidence: +10%
Special Events: - If morale drops low: "Executive Resignation" Event (key person leaves) - If morale stays high: "Leadership United" Event (positive coordination bonus) - Media attacks on executives: Morale drop (-10%)
| Stakeholder | Type | Start Trust | Critical Warning | Primary Actions |
|---|---|---|---|---|
| Customers | External | 50% | <20% | ACTION-09 (notify), ACTION-11 (PR) |
| Regulators | Government | 60% | <20% | ACTION-10 (notify), ACTION-01/04 (forensics) |
| Media | External | 40% | <20% | ACTION-11 (PR), ACTION-09 (transparency) |
| Board | Internal | 70% | <20% | ACTION-12 (notify), ACTION-04 (guidance) |
| Executives | Internal | 80% | <20% (resignations from <30%) | Regular communication, success indicators |
Reminder (v2.2): critical is a warning state only. The single loss condition is any trust meter at 0%. Meters clamp to 0-100%.
Teams must balance managing five competing stakeholder groups:
Prioritization Strategy 1: External First - Focus on Customers and Media - Maintain public trust - Regulators will follow - Risk: Internal management gets neglected
Prioritization Strategy 2: Internal First - Focus on Board and Executives - Maintain leadership confidence - Internal team makes better decisions - Risk: External stakeholders (customers, media) get neglected
Prioritization Strategy 3: Balanced - Do some actions for each stakeholder group - Distribute budget across all notifications - More complex but sustainable - Risk: Medium progress on all, complete on none
Prioritization Strategy 4: Targeted - Identify critical stakeholder (maybe regulators) - Focus budget there - Neglect others - Risk: Single stakeholder collapse
Stakeholders influence each other: - Media → Customers: If media says "company hid breach", customers distrust (stack penalties) - Regulators → Customers: If regulator fines company, customers see company as unsafe - Board → Executives: If board removes CEO, executives lose confidence - Executives → Board: If executives resign, board loses confidence in response - Customers → Stock Price: If customer trust drops, stock price drops (affects Board decisions)
Each stakeholder's escalation matches a Triggered Event (see Event Cards — those are the authoritative conditions):
Disaster Recovery Module: Stakeholder Cards Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/disaster-recovery/expansion-deck/advanced-scenarios.md
Version: 2.2 - Playtest Edition Last Updated: October 2025
Advanced Scenario Cards extend the Disaster Recovery module with sophisticated, multi-faceted crisis situations that challenge experienced crisis management teams.
How scenarios work (v2.2): each scenario is played with the standard core rules — same 8-turn clock, same Action/Event/Stakeholder cards, same scoring. A scenario adds its "Special Events" as extra Scheduled events on the timeline at setup, and applies its concrete Difficulty (v2.2) effects (listed per scenario, replacing the old percentage "difficulty multipliers"). The only mechanical layers are the Special Events and the Difficulty block; "Cost Implications" sections are narrative color for the debrief. Dollar figures are narrative-only unless converted at 1 Budget ≈ $50K.
Complexity: ADVANCED Affected Regions: US + EU + Asia Primary Challenge: Different legal requirements for different regions
Description: Breach affects customer data in multiple countries with different privacy laws: - US (California): notify without unreasonable delay; CCPA statutory damages fuel class actions - EU (GDPR): 72-hour notification deadline; fines up to €20M or 4% of global turnover, whichever is HIGHER - Asia (varies): Different deadlines and requirements in each country
Data residency requirements mean: - EU customer data cannot be transferred to US servers - Forensics must happen in country where data is stored - Different regulators in each country demand investigation - Different notification laws require different messages
Key Complications: - Timeline Conflict: EU regulators demand notification faster than the domestic clock; US requires notification without unreasonable delay; Asia varies - Legal Conflict: EU GDPR vs. US lawful intercept (conflicting requirements) - Investigation: Must conduct forensics in multiple jurisdictions simultaneously - Costs: Multi-region response = much higher costs
Team Decision Points: 1. Which region to prioritize (cannot satisfy all simultaneously) 2. How to conduct forensics across jurisdictions 3. How to notify customers differently per region 4. How to handle conflicting regulatory requirements
Special Events (added to the timeline at setup): - Turn 2: EU regulators demand notification — a second ACTION-10 play (EU filing) is due by end of Turn 4 - Turn 5: International regulators demand investigation coordination (Regulator trust -5 if Investigation is below 25%) - Turn 6: Data residency complication — if the EU filing was missed, Regulator trust -10 per turn (in place of, not stacked with, the core EVENT-02 escalation)
Cost Implications: - Multi-region legal and forensics overhead: see Difficulty below - Regulatory fines can stack across jurisdictions (narrative-only) - Notification costs: translations, different templates, regulatory filings
Team Response: - Must prioritize regions (satisfy EU first due to timeline) - Must engage local lawyers in each jurisdiction - Must conduct compliant investigation (following local laws) - Communication % must advance faster than usual
Difficulty (v2.2): - All Communication advances -5% (multi-jurisdiction overhead; minimum +5%) - A second regulator notification (EU) is required by end of Turn 4 (ACTION-10 played twice this game) - Set aside 5 Budget at setup as a translation/filing reserve (unavailable for actions)
Complexity: ADVANCED Attacker Demand: $10M ransom or threaten to sell/publish data Primary Challenge: Responding to extortion threats
Description: Attacker not only encrypted data but also stole data and threatens public disclosure: - "Pay up or we publish 50GB of customer PII on dark web" (demand ≈ 20 Budget; narrative "$10M" for a large enterprise) - Attacker provides proof of data access (sample files) - Extortion email sent to CEO and board - Attacker sets the deadline at the start of Turn 5 (the core ACTION-13 ransom deadline)
Key Complications: - Payment Question: Pay ransom or not? - Paying: Funding criminal enterprise, no guarantee of data deletion - Not paying: Risk of data publication (massive PR disaster) - Disclosure Dilemma: Tell customers about extortion threat? - Yes: Customers fear data will be published - No: If data is published, looks like cover-up - Law Enforcement: FBI recommends not paying (incentivizes more attacks) - Backup Reliance: Can you recover without paying?
Timeline Pressure (Special Events added at setup): - Turn 1: Extortion email; ransom deadline set at start of Turn 5 - Turn 2: First partial data publication (attacker shows they have data): Media trust -5 - Turn 3: Attacker lowers price (negotiation attempt; pure roleplay — ACTION-13 costs are unchanged) - Turn 5: Deadline reached — resolve ACTION-13 as printed (publish if unpaid; +2 turns if NEGOTIATE)
Financial Dilemma: - Ransom: payment may violate OFAC sanctions if the actor is sanctioned; many insurers restrict or exclude ransom coverage - Recovery from backup: Slow (if backups exist) - Data publication: Regulatory fines + lawsuits (potentially $50M+ liability; narrative-only) - Public disclosure: Stock price crash, customer loss
Team Decisions: 1. Pay ransom? (Risk: Encourages future attacks, no guarantee) 2. Attempt to recover from backup? (Risk: Slow recovery, data loss) 3. Notify customers before/after data publication? (Risk: Either way is bad) 4. Notify regulators? (Required, but shows full extent of damage)
Law Enforcement Engagement: - FBI may take over investigation (federal crime) - Reduces team's control of situation - May recommend decoy ransom negotiation (catch attacker) - Investigation may take weeks (slow response)
Special Events (added to the timeline at setup): - Turn 3: Media discovers extortion threat ("CEO held for ransom"): Media trust -10 - Turn 4: Attacker releases more sample data: Customer trust -5
Cost Implications: - Ransom: 20 Budget if paid (ACTION-13 PAY, as printed) - FBI coordination and extortion-specific notification overhead: see Difficulty below - Regulatory fines if data published: narrative-only (GDPR-scale)
Difficulty (v2.2): - Remediation advances are halved until ACTION-13 is declared (operational paralysis while the decision hangs) - Use ACTION-13 exactly as printed; the ransom deadline is start of Turn 5
Complexity: ADVANCED Vector: Breach compromises customers' data at YOUR company's data store Primary Challenge: Managing responsibility for vendor compromise
Description: Investigation reveals attacker didn't target your company directly—they compromised a vendor you use: - Your company uses cloud storage vendor (e.g., competitor to AWS) - That vendor was breached - Attacker gained access to YOUR customer data stored at vendor - Question: Who is responsible? You? Vendor? Both?
Key Complications: - Liability Question: - You're liable to customers (you selected vendor) - Vendor is liable (their security failure) - Customers might sue both - Vendor Response: - Vendor may be uncooperative (deny liability) - Vendor may be bankrupt (vendor company collapse during breach) - Vendor may not investigate properly - Notification Question: - Tell customers you chose bad vendor? - Or just notify about data breach without explaining vendor? - Either way looks bad - Investigation: - Must investigate vendor (not your own systems) - Vendor may not cooperate - Limited forensic access (you don't control vendor systems) - Regulatory agencies may blame you anyway
Responsibility & Liability: - Customer lawsuits: "You failed to vet vendor properly" - Regulatory fines: "You failed to oversee third-party risk" - Vendor lawsuits: "Vendor refuses to pay damages" - Vendor bankruptcy: "Vendor can't pay, customers turn to you"
Team Decisions: 1. Blame vendor (legally risky, looks bad) 2. Share responsibility (legally safer, but costs more) 3. Quickly terminate vendor relationship (looks reactive) 4. Demand vendor pay for notification/remediation (vendor may refuse)
Special Events: - Turn 1: Discovery that vendor was breached - Turn 2: Vendor denies liability / claims it's your responsibility - Turn 3: Regulatory agency demands to know vendor details - Turn 4: First customer lawsuit against both you AND vendor - Turn 5: Vendor declares bankruptcy (can't pay damages)
Cost Implications: - Investigation into vendor: +8 Budget (forensics at vendor site) - Legal: +20 Budget (defending against liability claims) - Regulatory fines: Potentially full amount (you're still liable) - Customer lawsuits: Likely regardless of vendor's role - Vendor transition: +15 Budget (switch to new vendor, migrate data)
Communication Challenge: - Customers angry at you (you chose bad vendor) - Media: "Company failed to vet third-party security" - Regulatory: "Poor third-party risk management" - Board: "Why did we use this vendor?"
Difficulty (v2.2): - Investigation advances -5% (no direct access to vendor systems; minimum +5%) - Set aside 10 Budget at setup as a legal reserve (unavailable for actions) - Turn-5 Special Event: vendor declares bankruptcy — Board trust -10
Complexity: ADVANCED Attacker: Current employee, not external hacker Primary Challenge: Organizational trauma and trust collapse
Description: During investigation of external breach, forensic team discovers: - The "external breach" had help from insider - Employee provided attacker with access/credentials - Employee may have also exfiltrated data - Employee is still working at company (not yet caught)
Key Complications: - Who is involved? - Single rogue employee? - Conspiracy (multiple employees)? - Which departments are involved? - Motive: - Disgruntled employee selling data - Corporate espionage (hired by competitor) - Theft for personal gain - Political/ideological motivation - Scope: - What other systems did insider compromise? - What data did they access/steal? - How long were they active? - Are there other insiders? - HR/Legal: - Fire the employee immediately (risks legal action) - Continue employment while investigating (ethics question) - Involve law enforcement (police investigation) - Civil litigation from employee (wrongful termination claims)
Organizational Impact: - Trust in employees collapses - Morale plummets (people suspect each other) - Staff paranoia increases - Executive distraction (investigating insider)
Special Events: - Turn 2: Forensics discovers insider involvement - Turn 3: HR/Legal team must decide: fire or investigate? - Turn 4: If fired, wrongful termination lawsuit likely - Turn 4: If not fired, employee may destroy more evidence - Turn 5: Law enforcement investigation (if reported to police)
Team Decisions: 1. Immediately fire employee (legal risk but stops damage) 2. Continue employment while investigating (ethical but risky) 3. Involve law enforcement (criminal investigation, slow) 4. Settle potential lawsuits preemptively (expensive)
Investigation Complexity: - Cannot trust employee's explanations - Must verify what employee had access to - Must recover deleted data/logs - Must interview other employees - Investigation takes much longer (suspicious of everyone)
Cost Implications: - Extended forensics: +15 Budget (investigating employee) - Legal: +25 Budget (employment law, potential settlements) - HR investigation: +8 Budget (interview staff, background checks) - Remediation: +20 Budget (credential reset, system rebuild) - Potential lawsuit: Millions if significant
Communication Challenge: - Cannot publicly disclose insider involvement (defamation risk) - Regulators and customers demand explanation - Media: "Company had insider threat" - Board: "Why was security so bad?"
Difficulty (v2.2): - Investigation advances are halved until Investigation reaches 50% (internal accounts cannot be trusted) - Executive trust starts at 60% (instead of 80%) - ACTION-08 (Credential Reset) is effectively mandatory — if not completed by end of Turn 6, EVENT-08 (Second Breach) fires automatically
Complexity: ADVANCED+ Sector: Utilities, Healthcare, Transportation, Manufacturing Primary Challenge: Physical safety takes priority over cybersecurity response
Description: Breach affects critical infrastructure where compromise could cause physical harm: - Healthcare: Hospital network compromise during surgery (patient safety risk) - Utilities: Power grid compromise during storm (people without power/heat) - Transportation: Traffic system compromise (accidents possible) - Manufacturing: Production system compromise (equipment failure)
Key Complication: Safety > Security - Cannot shut down system for forensics if people are harmed - Cannot remediate if it requires system downtime - Incident response must preserve operational safety - Balances security investigation with operational continuity
Regulatory Escalation: - CISA (Cybersecurity Infrastructure Security Agency) involved immediately - National Incident Command System (NICS) may take over - Government mandates response (not optional) - Military/intelligence agencies may be involved - Cannot investigate without government approval
Special Considerations: - Lives are at stake (not just data) - Response priorities are: Safety → Containment → Investigation - Traditional forensics may be impossible (system must stay operational) - Attacker knows system is critical (leverage for negotiation)
Special Events: - Turn 1: CISA declaration of critical infrastructure incident - Turn 2: Government takes partial control of response (may override company decisions) - Turn 3-4: Attacker threatens system shutdown (extortion using safety risk) - Turn 5: Coordinated media/government briefings (national security implications)
Team Decisions: 1. Continue operations (risk of safety incident) or shut down (risk to people without service)? 2. Engage with government agencies (lose control of response) 3. Negotiate with attacker (payment may violate OFAC sanctions if the actor is sanctioned; government will weigh in) 4. Accept potential service interruption (for safety)
Cost Implications: - Immediate government response: +50 Budget (federal agencies) - Operational impact: Unknown (depends on what breaks) - Remediation: Cannot shut down system (very limited options) - Investigation: Deferred (safety is priority) - National security classification: Investigation may be classified (cannot discuss publicly)
Communication Challenge: - Cannot disclose security details (national security) - Cannot disclose full scope (might encourage copycat attacks) - Public panic risk (if people know infrastructure is vulnerable) - Media cannot report full details (government requests)
Difficulty (v2.2): - Remediation advances are halved (systems must stay operational — no downtime allowed) - Communication advances -5% (national security disclosure restrictions; minimum +5%) - ACTION-13 PAY is unavailable (government prohibits payment) - Turn-1 Special Event: CISA declaration — Regulator trust starts at 50% but ACTION-10 gives +25 instead of +20 (cooperation is rewarded)
Complexity: ADVANCED Trigger: Negative media coverage + analyst downgrades Primary Challenge: Managing financial crisis alongside security crisis
Description: Public company stock price crashes following breach announcement: - News of breach announced - Stock drops 10-20% in first day - Short-sellers amplify negative sentiment - Analysts downgrade stock rating - Institutional investors sell (panic selling) - Stock drops 30-50% or more
Key Complications: - Financial Crisis: - Company loses market value ($1B+ in some cases) - Credit rating downgrade possible - Difficulty accessing credit markets - Acquisition at depressed price possible - Board/Shareholder Panic: - Shareholders demand CEO removal - Board may fire executives immediately - Board may accept lowball acquisition offer - Media coverage of internal turmoil - Business Disruption: - Employee morale crashes (stock is part of compensation) - Key employees leave (seeking more stable companies) - Customer confidence drops - Supplier payment delays (credit rating issue) - Business slows due to loss of employee focus
Investor Psychology: - Fear-driven selling (stock is "falling knife") - Rumors spread (company is bankruptcy risk) - Technical traders amplify selling (algorithmic trading) - Recovery takes months/years even if breach is minor
Special Events: - Turn 1: Stock drops 20% (breach announcement) - Turn 2: Analyst downgrades (stock drops another 15%) - Turn 3: Media "Death Spiral" narrative ("Company Doomed") - Turn 4: Short-seller report (negative narrative amplified) - Turn 5: Activist investor demands board change - Turn 6: Acquisition offer from vulture investor (lowball) - Turn 7: Board may accept acquisition (loses independence)
Team Decisions: 1. Focus on crisis response (stock takes care of itself) 2. Spend effort on investor relations (PR effort) 3. Respond to activist pressure (appeasement or defiance?) 4. Accept acquisition offer or fight it?
Indirect Crisis Complications: - Cannot spend freely on response (stock-based credit) - May need to cut crisis response budget (unexpected) - Board becomes distracted (shareholder meetings, hostile negotiations) - Executives leave (job market is competitive) - Crisis response effectiveness drops
Cost Implications: - Investor relations campaign: +10 Budget - Board/shareholder meetings: Distraction (-10 effectiveness) - Potential acquisition: Loss of independence - Employee departures: Loss of key expertise - Credit access: May be restricted (raises costs)
Communication Challenge: - Must manage investor narrative (balance hope + realism) - Must appear competent (or stock collapses more) - Media attention is intense (every statement scrutinized) - Cannot show weakness (stock market punishes)
Difficulty (v2.2): - Board trust starts at 50% (instead of 70%) - Budget -10 at setup (credit crunch) - EVENT-09 (Shareholder Pressure) fires at Turn 3 AND Turn 5 (it is scheduled twice this game)
Complexity: ADVANCED+ Multiple Simultaneous Compromises: Systems encrypted + data stolen + email account compromised Primary Challenge: Responding to multiple attack objectives simultaneously
Description: Not a single attack but multiple overlapping compromises: 1. Ransomware: File servers encrypted (production stops, cannot access files) 2. Data Breach: Database stolen (customer data exfiltrated) 3. Email Compromise: CEO's email account compromised (attacker can send as CEO)
Key Complications: - Attacker has multiple leverage points: - "Pay ransom or systems stay encrypted" (operational pressure) - "Pay to prevent data publication" (financial/reputational pressure) - "Stop responding or we'll send fake CEO email" (social engineering pressure) - Investigation difficulty: - Multiple attack vectors to investigate - May be different attackers or coordinated campaign - Each compromise has different timeline - Cannot determine if attacks are related or independent - Remediation priorities clash: - Decrypt systems immediately (get operations back) - Recover stolen data (prevent publication) - Secure CEO email account (prevent further compromise) - Cannot do all three at once (budget/time constraints)
Special Complications: - Fake CEO Email Risk: - Attacker sends email as CEO - "Approves" emergency spending - "Authorizes" data transfers - "Orders" employee actions - Teams cannot tell if email is real - Timeline Acceleration: - Email compromise creates urgency - Attacker can impersonate executives - Must immediately notify all employees - Breach of trust (employees distrust CEO emails)
Special Events: - Turn 1: Discovery of ransomware + data breach - Turn 2: Discovery of CEO email compromise - Turn 3: Fake CEO email sends "emergency transfer" (employees confused) - Turn 4: Attacker threatens to send more fake emails (escalation) - Turn 5: Ransom deadline, data publication deadline, email account deadline (all converging)
Investigation Complexity: - Three separate forensics investigations (expensive) - Each compromise requires different approach - Timelines may overlap (more complexity) - May be related (same attacker) or unrelated (unlucky)
Cost Implications: - Triple forensics: +20 Budget (investigating all three) - Triple ransom/extortion demands: $10M+ total - Remediation: +25 Budget (rebuild files, backup, email security) - Communication: +15 Budget (notifying employees about fake emails) - Regulatory fines: Stacked (multiple breach types)
Team Decisions: 1. Which compromise to prioritize? (Cannot fix all simultaneously) 2. Pay multiple ransoms or negotiate single amount? 3. How to prevent fake CEO emails during investigation? 4. How to rebuild trust after email compromise?
Communication Challenge: - Must warn employees about fake emails (careful wording) - Cannot fully disclose CEO email compromise (executive embarrassment) - Must appear to have control (or stock crashes) - Media narrative: "Multiple breaches mean security is very bad"
Difficulty (v2.2): - +2 turns of events: EVENT-08 (Second Breach) is pre-armed and fires automatically at Turn 6 (once) — the game runs 10 turns - All track advances -5% (three simultaneous investigations; minimum +5%) - The ransom deadline covers all three extortion threats — one ACTION-13 decision resolves them together
Complexity: ADVANCED+ Context: Breach happens while company is being acquired or merging Primary Challenge: Managing breach while deal dynamics change
Description: Breach is discovered during critical phase of M&A transaction: - Company announced acquisition/merger - Deal close in 30-45 days - Due diligence is underway (acquirer evaluating company) - Breach discovered mid-deal - Acquirer may walk away (reduces deal value or terminates) - Regulators may block deal (antitrust, security concerns)
Key Complications: - Deal Dynamics: - Acquirer discovers breach during due diligence - Acquirer may lower offer price (leverage) - Acquirer may demand warranty/escrow (financial penalty) - Deal may fail entirely (destroys shareholder value) - Information Control: - Acquirer has limited information (still under NDA) - Seller has incentive to minimize breach - Acquirer has incentive to maximize perceived severity - Buyer/seller information asymmetry complicates response - Regulatory Issues: - Merger may be blocked for security concerns - FTC may demand security improvements (delay deal) - State regulators may oppose merger (security risk) - Deal timing already tight (additional scrutiny delays close) - Board Pressure: - Board wants to preserve deal value - May demand minimal response (to not disclose full scope) - May pressure executives to downplay breach - Creates pressure for inadequate response
Timeline Pressure: - Deal must close in 30-45 days - Breach response takes time - Regulatory review adds time - Conflicting priorities: Deal vs. Response
Special Events: - Turn 1: Breach discovered, acquirer learns in due diligence - Turn 2: Acquirer threatens to walk away (leverage) - Turn 3: Price renegotiation (acquirer lowers offer 10-20%) - Turn 4: Regulatory delay (FTC requests documents) - Turn 5: Deal extension negotiations (need more time for breach response) - Turn 6: Shareholder lawsuit (shareholders allege breach was hidden)
Team Decisions: 1. Full disclosure to acquirer (cooperation but deal value drops) 2. Minimal disclosure (preserve deal but fraud risk) 3. Separate negotiation: breach response vs. acquisition terms 4. Push for deal delay (to respond properly to breach)
Complex Incentives: - Company wants: - Deal to close at good price - Breach to be minimized - Acquirer to handle breach remediation - Acquirer wants: - Full disclosure of breach - Lower price to account for risk - Warranties that seller covers breach costs - Regulators want: - Full investigation - Breach remediation - Assurance of future security - May block if combined entity is too powerful
Cost Implications: - Breach response: Standard costs (+20-30 Budget) - Deal renegotiation: Millions in lost value - Regulatory review: Delays (may block deal) - Shareholder lawsuit: If breach was hidden, liability - Escrow/warranty: Seller may have to hold money as security
Communication Challenge: - Cannot disclose full breach details (acquirer has leverage) - Cannot hide breach (fraud risk) - Must negotiate simultaneously with acquirer + regulators + investigators - Media discovery complicates (stock price pressure)
Difficulty (v2.2): - Communication advances are halved (every statement is reviewed by two legal teams) - Board trust starts at 50% (deal-preservation pressure to under-respond) - Turn-3 Special Event: price renegotiation — Board trust -10 if Investigation is below 25% (the board can't answer the acquirer's questions)
| Scenario | Challenge | Difficulty | Key Pressure |
|---|---|---|---|
| SCENARIO-01 | Multi-Region Legal | HIGH | 3 different regulatory timelines |
| SCENARIO-02 | Ransomware Extortion | HIGH | $10M decision + data publication threat |
| SCENARIO-03 | Supply Chain Liability | HIGH | Vendor failure, customer trust |
| SCENARIO-04 | Insider Threat | HIGH | Organizational trust collapse |
| SCENARIO-05 | Critical Infrastructure | EXTREME | Lives at risk, government control |
| SCENARIO-06 | Stock Crash | HIGH | Financial crisis + board pressure |
| SCENARIO-07 | Triple Compromise | EXTREME | 3 simultaneous attacks, multiple ransoms |
| SCENARIO-08 | M&A Complications | EXTREME | Deal value + regulatory blocks |
Use if: - Playing with experienced crisis management teams - Want sophisticated, realistic scenarios - Have time for complex decision-making (add 20-30 min per scenario) - Want to teach cascading effects of bad decisions
Skip if: - Playing with beginners (too complex) - Want simpler, faster gameplay - Limited time available - Focus is on learning basics
Start with easier scenarios: 1. SCENARIO-01 (Multi-Region): Complex but straightforward 2. SCENARIO-02 (Ransomware): Familiar from news, clear choices 3. SCENARIO-04 (Insider): Interesting organizational dynamics
Progress to harder scenarios: 4. SCENARIO-03 (Supply Chain): Adds liability complexity 5. SCENARIO-06 (Stock Crash): Financial crisis layer
Reserve for expert play: 6. SCENARIO-05 (Critical Infrastructure): Government involvement changes everything 7. SCENARIO-07 (Triple Compromise): Multiple simultaneous crises 8. SCENARIO-08 (M&A): Extreme complexity, conflicts of interest
Disaster Recovery Module: Advanced Crisis Scenarios (Expansion) Part of Incident Zero, a modular cybersecurity board game v2.2 - Playtest Edition
cards/print-templates/tracker-sheets.md
Version: 2.2 - Playtest Edition
Print on plain A4. One Universal Sheet per table, plus the module sheet for the module you're playing. Tip: laminate and use a dry-erase marker, or move a coin/token along the tracks.
Cross off as each turn ends. Circle your turn limit before starting.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
[ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]
Start at your module's budget (Network Building 40-60 · Disaster Recovery 50 · Forensics 75 · IR 100 · Audit 100 · Hardening 150). Tick down in 5s.
150 145 140 135 130 125 120 115 110 105 100 95 90 85 80 75
70 65 60 55 50 45 40 35 30 25 20 15 10 5 0
100 95 90 85 80 75 70 65 60 55 50 45 40 35 30 25 20 15 10 5 0
0 1 2 3 4 5
[ ] [ ] [ ] [ ] [ ] [ ] Penalty at start of turn: -5 Budget each
Advance each meter per card effects. Victory thresholds marked ▲.
ATTRIBUTION 0 10 20 30 40 50 60 70 80 90▲ 100
TIMELINE 0 10 20 30 40 50 60 70 80▲ 90 100
ATTACK CHAIN 0 10 20 30 40 50 60 70 80▲ 90 100
CHAIN OF CUSTODY 0 10 20 30 40 50 60 70▲ 80 90 100
Victory check (end of game): - V1 Full Attribution: Attribution ≥90 AND Timeline ≥80 - V2 Solid Case: Timeline ≥80 AND Attack Chain ≥80 AND Chain of Custody ≥70 - V3 Partial Findings: any two meters ≥70
Investigation in flight: ____ (results arrive Turn _) Evidence collected (✓ = Analyzed, one Analyze per card):
| Evidence card | Documented? (+5% CoC) | Analyzed? |
|---|---|---|
INVESTIGATION 0 10 20 30 40 50 60 70 80 90 100
REMEDIATION 0 10 20 30 40 50 60 70 80 90 100
COMMUNICATION 0 10 20 30 40 50 60 70 80 90 100
| Stakeholder | 100 | 80 | 60 | 40 | 20 (critical) | 0 (LOSS) |
|---|---|---|---|---|---|---|
| Customers | ||||||
| Employees | ||||||
| Regulators | ||||||
| Board / Investors | ||||||
| Media / Public |
| Turn | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
|---|---|---|---|---|---|---|---|---|
| Scheduled event | ||||||||
| Deadline | Customers notified (recommended) | Regulator penalties begin | GDPR 72h — regulators notified |
Multi-turn action in flight: ____ (completes Turn _)
| # | Domain | Stars (1-5) | PASS (3★+) / FAIL (1-2★) | Key gap found |
|---|---|---|---|---|
| 1 | Network Segmentation | |||
| 2 | Identity & Access | |||
| 3 | Detection & Monitoring | |||
| 4 | Backup & Recovery | |||
| 5 | Cloud Security | |||
| 6 | Security Operations |
Result: ___ / 6 PASS — Gap penalties for follow-on modules: see module rules (total capped at -30).
| Category | Points | Notes |
|---|---|---|
| Requirements met | per requirement card | |
| Security coverage | per rules scoring table | |
| Capability coverage | per rules scoring table | |
| Budget management | per rules scoring table | |
| TOTAL |
Components placed:
| Component | Cost | Capacity used / total |
|---|---|---|
Budget remaining: ___ / starting ___