13  Artifact-Based Case Study Development Template

This template guides you through creating immersive, artifact-based cybersecurity case studies that engage students as professionals analyzing authentic documents and evidence. Rather than following linear narratives, students explore realistic collections of emails, logs, news reports, transcripts, and technical documents to understand complex cybersecurity situations and develop response strategies.

Understanding the Artifact-Based Methodology

What Makes This Different: Traditional case studies present information through storytelling. Artifact-based case studies present information through realistic document collections that students must analyze, interpret, and synthesize—exactly how cybersecurity professionals work in practice.

Core Principle: Students learn by doing what cybersecurity professionals do—analyzing multiple information sources with incomplete data, competing perspectives, and time pressure to make informed decisions about complex sociotechnical situations.

Educational Foundation: This methodology embodies posthuman pedagogical principles by recognizing the distributed nature of cybersecurity knowledge across human expertise, technological systems, organizational processes, and regulatory frameworks. Students develop capacity for working with rather than over these complex assemblages.

Step 1: Define Your Learning Objectives

Before creating artifacts, establish clear, measurable learning objectives that align with professional cybersecurity practice. Focus on capabilities students need for working effectively within complex human-technology assemblages.

Professional Competency Framework

After analyzing this artifact collection, students will be able to:

- [Document analysis skill with cybersecurity application]
- [Cross-referencing capability across information sources]
- [Stakeholder perspective recognition through communications]
- [Technical-business integration in decision-making]
- [Collaborative response strategy development]

Example Learning Objectives

After analyzing the Municipal Infrastructure Incident artifacts, students will be able to:

- Correlate SCADA alert patterns with threat actor reconnaissance techniques
- Identify distributed responsibilities across utility operators, vendors, and regulators
- Evaluate human-technology coordination during infrastructure security incidents
- Develop multi-stakeholder response strategies for critical infrastructure protection

Step 2: Choose Your Industry Context and Temporal Setting

Select industry contexts that provide rich artifact diversity and realistic stakeholder networks. Consider sectors where cybersecurity incidents require coordination across multiple organizations, technologies, and regulatory frameworks.

High-Value Industry Contexts:

Temporal Setting Considerations:

  • Set incidents 6-12 months in the past for realism without referencing current events
  • Consider regulatory environments and technology landscapes for your chosen timeframe
  • Align with technology capabilities students should understand (cloud transitions, AI integration, etc.)

Step 3: Design Your Organizational Ecosystem

Create realistic networks of organizations that generate authentic document types and communication patterns. Focus on assemblages rather than individual organizations—the distributed networks that emerge during cybersecurity incidents.

Primary Organization Template:

**Organization Name**: [Memorable but professional, avoid real company names]
**Industry Focus**: [Specific sector with realistic scale and complexity]
**Size and Scope**: [Employee count and operational scale that justifies artifact complexity]
**Technology Environment**: [Mix of legacy and modern systems creating realistic vulnerabilities]
**Regulatory Context**: [Compliance requirements that drive documentation and reporting]
**Stakeholder Network**: [Partners, vendors, regulators, customers who participate in responses]

Stakeholder Ecosystem Mapping:

Internal Stakeholders:
- [IT/Security teams - technical analysis and response]
- [Operations teams - business continuity and service delivery]
- [Executive leadership - strategic decision-making and resource allocation]
- [Legal/Compliance - regulatory obligations and disclosure requirements]

External Stakeholders:
- [Technology vendors - system support and forensic assistance]
- [Regulatory agencies - compliance oversight and incident reporting]
- [Industry partners - threat intelligence sharing and coordination]
- [Media/Public - transparency requirements and reputation management]

Step 4: Develop Character Profiles for Document Creation

Create realistic characters who generate authentic communications throughout your incident. Focus on professional roles rather than personal details—what matters is how their expertise, responsibilities, and organizational positions shape their communications and decision-making.

Character Development Framework:

**Name**: [Professional but diverse, reflecting cybersecurity workforce]
**Role**: [Specific title with clear technical/business responsibilities]
**Expertise Level**: [Technical depth appropriate for their position]
**Communication Style**: [How they write emails, present in meetings, document findings]
**Organizational Perspective**: [What they prioritize based on their role and background]
**Network Connections**: [Who they communicate with and coordinate with]

Character Types for Artifact Generation:

Technical Specialists: Generate logs, analysis reports, forensic findings, vendor communications

  • Security Analysts (SOC monitoring, incident analysis)
  • System Administrators (infrastructure management, access control)
  • Network Engineers (traffic analysis, architecture documentation)

Management and Coordination: Generate strategic communications, resource decisions, stakeholder management

  • IT Managers (team coordination, budget decisions, vendor management)
  • Chief Information Security Officers (strategic planning, executive communication)
  • Project Managers (timeline coordination, resource allocation)

Business and Compliance: Generate regulatory filings, business impact assessments, legal considerations

  • Compliance Officers (regulatory requirements, disclosure obligations)
  • Business Continuity Managers (operational impact, recovery planning)
  • Legal Counsel (liability assessment, regulatory coordination)

Step 5: Create Your Incident Timeline

Build realistic temporal progression that creates natural document flow and decision pressure. Focus on how different types of artifacts emerge at different stages of incident detection, response, and resolution.

Artifact-Based Timeline Framework

T-1 Month: [Background documents establishing context - policies, configurations, routine reports]
T-1 Week: [Early warning signs - system alerts, unusual activity reports, vendor notifications]
T-Day 0: [Incident detection - automated alerts, initial human analysis, escalation communications]
T+1 Hour: [Immediate response - emergency communications, containment actions, notification procedures]
T+4 Hours: [Analysis phase - detailed forensics, stakeholder coordination, regulatory notifications]
T+1 Day: [Response coordination - vendor engagement, regulatory filings, media management]
T+1 Week: [Resolution activities - lessons learned reports, policy updates, improvement plans]

Background/Context Phase:

  • Security policies and procedures
  • Network architecture diagrams
  • Vendor service agreements
  • Previous incident reports

Detection/Initial Response Phase:

  • Automated system alerts and logs
  • Initial incident communications
  • Emergency response procedures
  • Vendor notification calls

Analysis/Coordination Phase:

  • Detailed technical analysis reports
  • Cross-organizational email threads
  • Regulatory filing documents
  • Media statements and responses

Step 6: Design Your Central Challenge

Develop complex cybersecurity situations that require students to synthesize information across multiple artifacts, stakeholder perspectives, and technical domains. Focus on realistic ambiguity rather than puzzle-solving.

Challenge Design Principles:

Multiple Valid Approaches: Ensure various response strategies can be justified based on different interpretations of available evidence

Incomplete Information: Students must work with gaps, conflicting data, and uncertainty—just like real cybersecurity practice

Temporal Pressure: Timeline creates urgency while maintaining realistic decision-making constraints

Stakeholder Tensions: Different organizational perspectives create competing priorities that students must navigate

Technical Complexity: Sufficient technical depth to require cybersecurity expertise without overwhelming non-specialists

Distributed Agency: Solutions require coordination across human expertise, technological systems, and organizational processes

Step 7: Create Authentic Artifact Collections

This is the heart of artifact-based methodology. Create realistic documents that feel authentic and serve specific educational purposes. Each artifact should advance student understanding while maintaining professional credibility.

Technical Artifacts

System Logs and Alerts:

[CRITICAL ALERT] - System: [Realistic system name]
Date/Time: [Consistent with timeline] 
Alert Level: [CRITICAL/HIGH/MEDIUM/LOW]
Source: [Specific system component or monitoring tool]

[Realistic log entry with appropriate technical detail]
Protocol: [Specific network protocol or system interface]
Source IPs: [Realistic but fictional IP addresses]
Behavior Pattern: [Technical description of suspicious activity]
Automated Response: [System actions taken without human intervention]

Network Analysis Reports:

NETWORK FORENSICS ANALYSIS
Analyst: [Character name with appropriate technical role]
Date: [Timeline consistent]
Tools Used: [Realistic cybersecurity tools - Wireshark, Nmap, etc.]

Technical Findings:
- [Specific technical observation with tool correlation]
- [Network behavior patterns indicating threat sophistication]
- [Evidence of reconnaissance or attack progression]

Recommendations: [Technical and procedural recommendations]

Communication Artifacts

Internal Email Threads:

From: [realistic email address reflecting character role]
To: [appropriate recipients for information sharing]
Subject: [professional subject line indicating urgency/content]
Date: [timeline consistent]

[Natural professional communication that reveals:
- Character priorities and expertise
- Technical details appropriate to audience
- Organizational dynamics and decision pressure
- Cross-functional coordination challenges]

Voice Message Transcripts:

VOICEMAIL TRANSCRIPT
Caller: [Character name and title]
Recipient: [Target contact - vendor, partner, etc.]
Date/Time: [Timeline consistent]
Duration: [Realistic length]

"[Natural speech patterns with background context]
[Technical details mixed with urgency]
[Specific requests for assistance or coordination]
[Contact information and follow-up requirements]"

[Background sounds: realistic workplace audio]

Regulatory and External Artifacts

Regulatory Filings:

[REGULATORY AGENCY NAME]
[SPECIFIC FILING TYPE - Incident Report, Compliance Notice, etc.]
Filing ID: [Realistic identifier format]
Date: [Timeline consistent]
Organization: [Primary organization name]

INCIDENT SUMMARY:
Date/Time: [Incident timing]
Classification: [Regulatory classification level]
Systems Affected: [Technical systems with business impact]
Customer Impact: [Service disruption details]

RESPONSE ACTIONS:
1. Immediate: [Timeline and specific actions]
2. Short-term: [Follow-up actions and coordination]
3. Long-term: [Systemic improvements and policy updates]

REGULATORY COMPLIANCE:
[Specific regulatory requirements addressed]
[Cross-agency coordination requirements]

Media Coverage:

[NEWS PUBLICATION NAME]
"[Realistic headline relevant to incident]"
By [Journalist name], [Date]

[Lead paragraph establishing incident context]
[Industry expert quotes providing external perspective]
[Technical details appropriate for general audience]
[Community/stakeholder impact discussion]
[Regulatory or industry response context]

Federal/Industry Advisories:

[AGENCY NAME - DHS, CISA, FBI, etc.]
[ADVISORY TYPE - Alert, Bulletin, Guidance]
Advisory ID: [Realistic identifier]
Date: [Timeline consistent]
Classification: [Appropriate classification level]

THREAT OVERVIEW:
[Technical threat description]
[Attack pattern and sophistication assessment]
[Potential impact and target analysis]

RECOMMENDATIONS:
[Specific technical countermeasures]
[Coordination requirements]
[Reporting obligations]

Document Quality Standards

Authenticity Checkers: - [ ] Realistic formatting matching actual organizational documents - [ ] Consistent character voices across different document types - [ ] Appropriate technical detail for document type and audience - [ ] Natural organizational hierarchy and communication patterns - [ ] Timeline consistency across all artifacts

Educational Effectiveness Checkers: - [ ] Each artifact advances student understanding of the situation - [ ] Multiple artifacts provide different perspectives on same events - [ ] Sufficient complexity to require critical thinking and synthesis - [ ] Realistic ambiguity that mirrors professional decision-making - [ ] Clear connections to learning objectives and assessment requirements

Step 8: Design Artifact-Based Assessments

Create assessments that require students to demonstrate document analysis skills, cross-referencing abilities, and collaborative decision-making—the core competencies of artifact-based methodology.

Individual Analysis Assessment

Artifact Analysis Framework:

**Prompt**: You are a cybersecurity consultant brought in to analyze the [Organization Name] incident. Using the provided artifact collection, develop a comprehensive assessment that addresses technical findings, stakeholder perspectives, and response recommendations.

**Required Elements**:
1. **Technical Analysis**: Correlate evidence across system logs, forensic reports, and vendor communications to understand attack progression and sophistication
2. **Stakeholder Assessment**: Identify different organizational perspectives revealed through email communications, regulatory filings, and media coverage
3. **Timeline Reconstruction**: Trace incident development through artifact timestamps and cross-referenced events
4. **Response Evaluation**: Assess effectiveness of coordination across technical teams, management, vendors, and regulatory agencies
5. **Strategic Recommendations**: Propose improvements that address technical vulnerabilities and organizational coordination challenges

Assessment Prompt Example:

Based on your analysis of the Riverside Power Grid Incident artifacts:

1. How do the SCADA alerts correlate with the threat intelligence patterns described in the DHS advisory? What does this tell you about attacker sophistication and objectives?

2. Trace the decision-making process from Maria Santos' initial email through the final regulatory filing. Where did human expertise complement automated system responses?

3. What tensions do you identify between operational security requirements and regulatory transparency obligations? How did different stakeholders navigate these competing demands?

4. Develop a response strategy that addresses both the immediate technical vulnerabilities and the longer-term coordination challenges revealed through this incident.

Collaborative Simulation Assessment

Assemblage Response Simulation:

**Format**: Multi-role incident response simulation using artifact analysis

**Team Roles**:
- Security Analyst: Lead technical analysis using logs and forensic reports
- IT Manager: Coordinate human resources and vendor relationships
- Compliance Officer: Manage regulatory requirements and disclosure obligations
- Communications Lead: Handle stakeholder messaging and media coordination

**Process**:
1. Individual artifact analysis (30 minutes)
2. Role-based preparation using relevant documents (30 minutes)
3. Cross-functional coordination meeting simulation (45 minutes)
4. Collaborative response strategy development (45 minutes)

**Evaluation**: Both individual role performance and collective decision quality

Cross-Case Analysis Assessment

Assemblage Pattern Recognition:

**Prompt**: Compare artifact patterns across [Case Study A] and [Case Study B]. Identify common elements in how human-technology assemblages respond to cybersecurity incidents across different industry contexts.

**Analysis Requirements**:
1. **Technology Agency**: How do automated systems participate in incident detection and response across both cases?
2. **Human-Technology Coordination**: What patterns do you see in how people work with technological systems under pressure?
3. **Organizational Assemblages**: How do multi-stakeholder networks form and coordinate during cybersecurity incidents?
4. **Response-ability Development**: What capabilities do organizations need to participate effectively in cybersecurity assemblages?

Step 9: Quality Assurance for Artifact-Based Cases

Systematic review ensures your artifact collection creates engaging, educational experiences while maintaining professional authenticity.

Artifact Quality Review:

Educational Effectiveness Review:

Posthuman Pedagogy Review:

Step 10: Implementation and Facilitation Guide

Successful artifact-based case implementation requires different facilitation approaches than traditional narrative cases. Students need support for document analysis skills and cross-referencing techniques.

Student Introduction Framework:

# Cybersecurity Incident Analysis: [Case Study Title]

## Your Professional Role
You are cybersecurity professionals investigating the [incident type] at [organization]. Rather than receiving a pre-written story, you'll analyze the actual documents that emergency responders, investigators, and decision-makers used during this incident.

## Artifact Collection Overview
Your investigation includes [X] documents spanning [time period]:
- Technical evidence: System logs, forensic reports, vendor communications
- Internal communications: Email threads, meeting transcripts, voice messages
- External documents: Regulatory filings, media coverage, industry advisories
- Background materials: Policies, procedures, organizational charts

## Analysis Approach
Work systematically through the document collection:
1. **Individual Review**: Read each artifact and note key technical and organizational details
2. **Cross-Reference Analysis**: Look for connections, contradictions, and patterns across documents
3. **Timeline Reconstruction**: Use timestamps to understand event progression and decision points
4. **Stakeholder Mapping**: Identify different organizational perspectives and priorities
5. **Synthesis and Recommendations**: Develop response strategies based on comprehensive analysis

Facilitation Strategies:

Document Analysis Skills: Students may need explicit instruction in reading technical logs, interpreting regulatory documents, and analyzing professional communications

Cross-Referencing Techniques: Teach students to track information across multiple documents using timeline tracking, stakeholder mapping, and evidence correlation

Perspective-Taking: Help students understand how the same events look different from various organizational positions and technical specializations

Collaborative Analysis: Structure group work so students can share document analysis findings and build collective understanding

Professional Authenticity: Emphasize that this analytical process mirrors real cybersecurity investigation and decision-making

Development Process for Artifact-Based Cases

Foundation and Research

Character and Organizational Development

Artifact Creation

Assessment Design and Testing

Implementation Preparation