Security Awareness Training Scenarios, Part 1: Contaminated Workplace

Security awareness training is most effective when participants can experience threats in a realistic, hands-on environment.

In the “contaminated workplace” scenario is an office set up with one or more computer workstations equipped with pentest hardware. Basically, offices with many different devices and open cabling are best suited to this scenario. After an introduction, participants are divided into two groups: One group must hide the hardware tools; the other group must find them afterwards.

For this scenario, you can use all hardware tools that are connected to a client computer. These devices include keyloggers, screen loggers, devices for local area network (LAN) interfaces, and other various spy gadgets.

Preparation

Basically, you do not require major preparations for this scenario. In theory, you can simply distribute the pentest hardware (without configuring it). This setup is sufficient for the objective, that is, to detect the hardware. However, an interesting later evaluation could involve active hardware.

In particular, you can deploy spy gadgets, as shown in this figure, that record the audio and video in a room.

If you actively use these devices, you should clarify with the participants in advance that recordings will be made. These gadgets can be often installed regardless of the location of a computer, allowing the group that hides these tools to operate rather flexibly.

Some devices only have a small battery. To make the scenario more realistic, you can also connect power supply units.

Next prepare the pentest hardware to be connected to a computer. This figure shows a selection of keyloggers and screen loggers, which are smuggled directly between the computer and the keyboard or monitor and are of course suitable in this context.

In addition, you can prepare various LAN tools that are attached to the LAN cable connection and compromise the network. In this case, however, you should configure the training network so that no access to networks used in production is possible. Perhaps all you need is a router to create a small training network as a playground.

Variations

If you want to enhance the difficulty of the training even further, use hardware that you have not presented in advance. However, your choices should be similar to the tools you present so that participants can transfer what they have learned. For example, you could hide a keylogger that is structured and configured differently to the keylogger you present, as shown in the next figure. With this challenge, participants reach a higher level of understanding because they transfer knowledge from something they’ve learned to a new scenario.

To further enhance the challenge, use devices in specialist groups that share a common function but look rather unusual, for example, all types of adapters and cable extensions for USB and for RJ45 Ethernet, as shown here.

Execution

First, start by conducting the theoretical training and introducing the various hardware tools to all participants. Then divide the participants into two equal groups. Next go with the first group to the previously prepared office. Give the participants the hardware with the task of hiding it as inconspicuously as possible. Depending on the size of the group, you can build groups of two or more and give them one or more devices. In the process, discuss with these participants how the tools can be hidden as efficiently as possible. As soon as all the devices have been placed, this group leaves the office again and can take a coffee break.

Then fetch the second group and accompany them to the office. Give this group the task of finding as many hardware devices as possible that may have malicious intent. If the participants are not sure whether an item is the hardware they are looking for, let them discuss it among themselves first. If necessary—for example, no progress is made at all for a while—offer some tips on what kind of hardware can still be sought.

To make the exercise more relevant to real life, tell the second group to leave the hardware tools they have found in place. You can then demonstrate to both groups what data can be intercepted with these tools. For this part, make a few entries on the keyboard and access multiple websites. Then read the contents of the keyloggers and screen loggers and show them to the participants. You can also show them the audio and video recordings gathered by the spy gadgets.

Conclusion

The contaminated workplace scenario demonstrates that security risks are not limited to software and phishing emails—physical hardware threats can be just as dangerous and far more difficult to detect. By actively hiding and uncovering malicious devices, participants develop a sharper eye for suspicious equipment and a deeper understanding of how easily workplace environments can be compromised. This practical experience not only increases awareness but also encourages a culture of attentiveness, critical thinking, and shared responsibility for organizational security.