EXPOSURE

Security governance for the board table, not the server room.

The only security governance game built around what management actually decides under NIS2.

Your board signs off on the security budget. Do they understand what they are deciding?

NIS2 Article 21(2)(g) is explicit: management bodies must be trained in cybersecurity. Not briefed. Trained. There is a difference.

Traditional security briefings for leadership are passive. A slide deck goes up, numbers are shown, heads nod. Two weeks later, nothing has changed about how the board thinks about risk. The people who signed off on the budget still cannot articulate what they signed off on.

EXPOSURE changes that. By putting your management team through realistic governance decisions, it builds the kind of instinctive understanding that a briefing cannot produce. You experience the trade-offs. You own the decisions. The debrief connects what you learned to your actual organisation.

Security awareness training covers the workforce. EXPOSURE covers the people responsible for the strategy.

Klaus Agnoletti

THE GAME

What EXPOSURE actually is

EXPOSURE is a board game for management teams. Six to seven players take on roles within a fictional company and work through three rounds of security governance decisions: budget allocation, incident escalation, vendor risk, and board-level communication. No technical knowledge required. No slides. No passive listening.

The game is built around NIS2 Article 21(2)(g), which makes management accountability for cybersecurity explicit. EXPOSURE makes that accountability tangible. Players leave with a concrete sense of what good security governance looks like in practice, not just what the regulation requires on paper.

Each round introduces a scenario drawn from real management-level security situations. Players must decide how to respond, with the information they have, within the authority they hold, under the time pressure of a real crisis. The decisions are hard. The trade-offs are genuine. The debrief makes them useful.

I facilitate every session. The question is not whether I run it. It is how deeply I frame it to your organisation.

GOVERNANCE DECISIONS

What EXPOSURE puts on the table

Security budget trade-offs

Your board allocates the security budget. EXPOSURE puts the trade-off decisions on the table in real time: what to fund, what to cut, and what risk you accept when you do either.

Incident escalation authority

When does a security incident become a board-level issue? EXPOSURE makes that decision boundary explicit, and tests whether your management team agrees on where it sits.

Vendor and supply chain risk

Third-party risk is a board governance question, not just a procurement one. EXPOSURE surfaces what management needs to ask before signing, and after something goes wrong.

Crisis communication decisions

What does the board communicate, to whom, and when? EXPOSURE tests the communication decisions that management must own, including what not to say and to whom.

Risk acceptance criteria

What level of residual risk is acceptable? EXPOSURE forces that conversation explicitly. Players cannot pass the decision to the security team. They own it.

Compliance vs. operational reality

NIS2 compliance and operational security are not always the same thing. EXPOSURE makes the gap visible, and gives management the language to close it.

LEARNING OUTCOMES

What your team walks away with

Confident security governance

The vocabulary, judgement, and confidence to participate in security decisions at the board level, not just sign off on them.

NIS2 Article 21 in practice

A practical understanding of what Article 21(2)(g) requires of management, built through experience, not a legal briefing.

The right questions to ask

Knowing what to challenge, what to trust, what to escalate, and when to push back on the security team’s recommendations.

Shared governance language

A common language and set of reference points for security governance discussions across the leadership team.

Decision-making under uncertainty

Practice making consequential security decisions with incomplete information, which is every real security decision.

Connected to your context

A debrief that maps the game experience directly to your organisation’s actual situation, risks, and governance gaps.

HOW IT WORKS

How a session runs

I facilitate every session. The base format runs in sixty minutes and works well as a standalone event: a management training day, a board offsite, an NIS2 awareness session. I run the game, facilitate the rounds, and close with a structured debrief using the scenarios the game surfaces.

The workshop format goes further. Before the session I talk to whoever is organising it: your governance setup, current NIS2 readiness, the decisions your board has been sitting on. That shapes how I frame the game at the start and how I run the debrief at the end. The debrief stops being about what the game revealed and starts being about what your organisation needs to do differently.

Framing (15 min): I set the context for your group, why this matters for your organisation and what I want participants to notice during play.

Three rounds (35 min): Players work through the scenario as a company leadership team. Budget trade-off, vendor risk, incident escalation. No right answers on the card. I observe and note where the team diverges.

Debrief (10–20 min): In the base format I connect the game experience to general governance principles. In the workshop format I connect it to your specific situation: what the disagreements revealed, where authority was unclear, what to take back to the board table.

Multiple tables can run simultaneously for larger groups. The full-group debrief draws on what different tables decided differently. That variation is often the most useful part of the session.

Who EXPOSURE is for

EXPOSURE works for any management team that holds governance responsibility for cybersecurity, and needs to build the understanding to exercise that responsibility confidently. Typical participants: C-suite, board members, senior managers, risk and compliance officers, general counsel. Anyone whose role involves security decisions but who does not come from a technical background.

It works particularly well for NIS2 readiness programmes, management training days, board offsites, and executive onboarding. Both private sector and public sector organisations subject to NIS2.

Group size is six to seven players per table. Multiple tables run simultaneously for larger organisations. Duration is sixty minutes for the base format; ninety minutes for the full workshop. Facilitated by Klaus Agnoletti.

NIS2 MAPPING

How EXPOSURE maps to NIS2

NIS2 requirementWhat it asks of managementHow EXPOSURE addresses it
Article 20(1), governance & accountabilityManagement bodies approve the cyber risk-management measures, oversee their implementation, and can be held liablePuts those approve-and-oversee decisions on the table as the game itself
Article 20(2), trainingMembers of management bodies must follow training to identify risks and assess cyber risk-management practicesDelivers exactly that training as a facilitated half-day where leadership makes the decisions
Article 21, risk-management measuresOrganisations must take appropriate and proportionate risk-management measuresFrames the real trade-offs management decides on: what to fund, what to cut, what risk to accept

FAQ

Frequently asked questions

Does EXPOSURE satisfy NIS2 Article 20 management-training requirements?
EXPOSURE is built around the decisions NIS2 Article 20 puts on management: approving the risk-management measures, overseeing them, and answering for them. Article 20(2) requires management bodies to undergo training to identify and assess cyber risk. EXPOSURE delivers that training as a facilitated half-day where leadership actually makes those decisions, rather than being briefed about them.
Who should play EXPOSURE?
The people NIS2 holds accountable: board members, executives, and senior management, with the security lead alongside them. It is designed for the board table, not the server room.
How long is a session?
A half-day. It fits a leadership calendar, not a week-long course.
Is it a lecture or a hands-on exercise?
Hands-on. Management works real governance trade-offs under pressure, what to fund, what to cut, what risk to accept, and sees the consequences play out.
Does EXPOSURE replace our NIS2 compliance programme?
No. It is the rehearsal layer for the people accountable under NIS2. It makes sure the humans who own the decisions have practised making them; it does not do your compliance paperwork.
Can it be tailored to our organisation?
Yes. It is shaped around your environment and the decisions your leadership actually faces.

Ready to make your next board meeting count?

Reach out and let’s talk about what a session would look like for your team.

See the full serious games lineup.

No cookies here

Notice there’s no cookie banner here.
That’s intentional and the site is still GDPR-compliant. I chose to avoid cookies and stick to basic, privacy-friendly stats.
My analytics are cookieless: self-hosted Plausible (EU) and PostHog in cookieless mode, with your IP anonymized. No cross-site tracking, nothing that identifies you.
The one cookie I can set does the opposite of every other cookie: it tells my stats to ignore you completely, and you only get it if you ask.

Everybody wins.