“Do Everything Wrong” workshops

Reverse workshops where participants deliberately do everything insecurely. Learning what not to do by actually doing it wrong is memorable, engaging, and reveals vulnerabilities through practice rather than lecture.

Workshop format

  • Duration: 90-120 minutes

  • Group size: 8-15 participants

  • Setup: Meeting room with projector, laptops optional, post-it notes and markers

Opening (10 minutes)

Facilitator: “Today’s workshop is different. Your goal is to be as insecure as possible. Do everything wrong. Break every security rule. We’ll see what happens and why it matters.”

Ground rules:

  • This is safe environment. No real systems, data, or consequences.

  • Creativity encouraged. Think of worst security practices.

  • Humour welcome. Making it fun helps learning.

  • No judgment. Today, bad security is the goal.

Exercise: Terrible password creation contest (20 minutes)

Challenge: Create the worst possible password and explain why it’s awful.

Activity:

  • Each person writes down intentionally terrible password

  • Share with group and explain why it’s bad

  • Group votes on worst password

  • Winner gets “Worst Password Award”

Examples participants generate:

  • “password123”

  • “CompanyName2024”

  • “qwerty”

  • Name of spouse or pet everyone knows about

  • Same password used everywhere

Learning moment: Facilitator explains why each bad password is vulnerable. Dictionary attacks, credential stuffing, social engineering, brute force. Make it concrete.

Bridge to good practice: “Now that we’ve created terrible passwords, what makes good ones?” Let participants answer based on understanding bad ones.

Exercise: Phishing email creation workshop (25 minutes)

Challenge: Create most convincing phishing email targeting your colleagues.

Activity:

  • Small groups (3-4 people) design phishing email

  • Must target someone in room (with their permission)

  • Include psychological manipulation tactics

  • Present to group

  • Target explains if they would have fallen for it

Elements groups incorporate:

  • Urgency (“Action required immediately!”)

  • Authority (“From IT Director”)

  • Fear (“Account will be suspended”)

  • Curiosity (“You won a prize!”)

  • Familiarity (spoofed from known sender)

Learning moment: Discuss manipulation tactics, how to recognise them, red flags that indicate phishing.

Twist: Facilitator reveals pre-sent actual phishing email to group with these tactics. Who clicked it? Safe discussion about why.

Exercise: Insecure office tour (20 minutes)

Challenge: Identify all the terrible security practices in fictional office scenario.

Activity:

  • Facilitator describes office scene or shows photos (staged)

  • Participants identify security failures

  • Compete to find most failures

  • Discuss consequences of each

Scenario elements:

  • Passwords on sticky notes under keyboard

  • Unlocked screen with sensitive data visible

  • Visitor badge worn by someone who doesn’t work there

  • Sensitive documents in trash bin

  • USB drive labelled “Executive Salaries” plugged into computer

  • Door propped open

  • Laptop left unattended in cafe

  • Loud conversation about confidential information in public

Learning moment: Each failure connects to real incident. “Company X lost £2M because of unlocked laptop in hotel lobby.”

Exercise: Social engineering roleplay (25 minutes)

Challenge: Act out social engineering attacks and defences.

Scenarios:

  1. Tailgating: Someone follows through secure door, claiming they forgot badge

  2. Phone pretexting: Caller claims to be from IT and needs password to “fix your account”

  3. Desk dive: Someone asks to borrow laptop “just for five minutes”

  4. Email impersonation: Urgent request from “CEO” to transfer money immediately

Activity:

  • Volunteers act out each scenario

  • First time: Target does everything wrong (gives access, shares password, etc.)

  • Second time: Target responds correctly

  • Group discusses what changed and why it worked

Learning moment: Practice saying “no” to pressure. Develop scripts for common scenarios. Understand manipulation techniques.

Closing: From wrong to right (10 minutes)

Synthesis: What did we learn by doing things wrong?

Action items: Each person commits to one specific behaviour change based on workshop.

Resources: Share quick reference card with common red flags and correct responses.

Feedback: What was most valuable? What should we do differently next time?