EXPOSURE
Security governance for the board table, not the server room.
The only security governance game built around what management actually decides under NIS2.
Your board signs off on the security budget. Do they understand what they are deciding?
NIS2 Article 21(2)(g) is explicit: management bodies must be trained in cybersecurity. Not briefed. Trained. There is a difference.
Traditional security briefings for leadership are passive. A slide deck goes up, numbers are shown, heads nod. Two weeks later, nothing has changed about how the board thinks about risk. The people who signed off on the budget still cannot articulate what they signed off on.
EXPOSURE changes that. By putting your management team through realistic governance decisions, it builds the kind of instinctive understanding that a briefing cannot produce. You experience the trade-offs. You own the decisions. The debrief connects what you learned to your actual organisation.
Security awareness training covers the workforce. EXPOSURE covers the people responsible for the strategy.
THE GAME
What EXPOSURE actually is
EXPOSURE is a board game for management teams. Six to seven players take on roles within a fictional company and work through three rounds of security governance decisions: budget allocation, incident escalation, vendor risk, and board-level communication. No technical knowledge required. No slides. No passive listening.
The game is built around NIS2 Article 21(2)(g), which makes management accountability for cybersecurity explicit. EXPOSURE makes that accountability tangible. Players leave with a concrete sense of what good security governance looks like in practice, not just what the regulation requires on paper.
Each round introduces a scenario drawn from real management-level security situations. Players must decide how to respond, with the information they have, within the authority they hold, under the time pressure of a real crisis. The decisions are hard. The trade-offs are genuine. The debrief makes them useful.
I facilitate every session. The question is not whether I run it. It is how deeply I frame it to your organisation.
GOVERNANCE DECISIONS
What EXPOSURE puts on the table
Security budget trade-offs
Incident escalation authority
Vendor and supply chain risk
Crisis communication decisions
Risk acceptance criteria
Compliance vs. operational reality
LEARNING OUTCOMES
What your team walks away with
Confident security governance
NIS2 Article 21 in practice
The right questions to ask
Shared governance language
Decision-making under uncertainty
Connected to your context
HOW IT WORKS
How a session runs
I facilitate every session. The base format runs in sixty minutes and works well as a standalone event: a management training day, a board offsite, an NIS2 awareness session. I run the game, facilitate the rounds, and close with a structured debrief using the scenarios the game surfaces.
The workshop format goes further. Before the session I talk to whoever is organising it: your governance setup, current NIS2 readiness, the decisions your board has been sitting on. That shapes how I frame the game at the start and how I run the debrief at the end. The debrief stops being about what the game revealed and starts being about what your organisation needs to do differently.
Framing (15 min): I set the context for your group, why this matters for your organisation and what I want participants to notice during play.
Three rounds (35 min): Players work through the scenario as a company leadership team. Budget trade-off, vendor risk, incident escalation. No right answers on the card. I observe and note where the team diverges.
Debrief (10–20 min): In the base format I connect the game experience to general governance principles. In the workshop format I connect it to your specific situation: what the disagreements revealed, where authority was unclear, what to take back to the board table.
Multiple tables can run simultaneously for larger groups. The full-group debrief draws on what different tables decided differently. That variation is often the most useful part of the session.
Who EXPOSURE is for
EXPOSURE works for any management team that holds governance responsibility for cybersecurity, and needs to build the understanding to exercise that responsibility confidently. Typical participants: C-suite, board members, senior managers, risk and compliance officers, general counsel. Anyone whose role involves security decisions but who does not come from a technical background.
It works particularly well for NIS2 readiness programmes, management training days, board offsites, and executive onboarding. Both private sector and public sector organisations subject to NIS2.
Group size is six to seven players per table. Multiple tables run simultaneously for larger organisations. Duration is sixty minutes for the base format; ninety minutes for the full workshop. Facilitated by Klaus Agnoletti.
NIS2 MAPPING
How EXPOSURE maps to NIS2
| NIS2 requirement | What it asks of management | How EXPOSURE addresses it |
|---|---|---|
| Article 20(1), governance & accountability | Management bodies approve the cyber risk-management measures, oversee their implementation, and can be held liable | Puts those approve-and-oversee decisions on the table as the game itself |
| Article 20(2), training | Members of management bodies must follow training to identify risks and assess cyber risk-management practices | Delivers exactly that training as a facilitated half-day where leadership makes the decisions |
| Article 21, risk-management measures | Organisations must take appropriate and proportionate risk-management measures | Frames the real trade-offs management decides on: what to fund, what to cut, what risk to accept |
FAQ
Frequently asked questions
Does EXPOSURE satisfy NIS2 Article 20 management-training requirements?
Who should play EXPOSURE?
How long is a session?
Is it a lecture or a hands-on exercise?
Does EXPOSURE replace our NIS2 compliance programme?
Can it be tailored to our organisation?
Ready to make your next board meeting count?
Reach out and let’s talk about what a session would look like for your team.
See the full serious games lineup.