Session Zero: I've Never Been a DM, But I'm Running My First Campaign at Work
2026-02-01
I have over 1,000 hours in Baldur’s Gate 3. Still haven’t finished the game. Yikes.
I’ve been a player in tabletop campaigns. I’ve theory-crafted builds. I’ve lurked on D&D subreddits arguing about multiclass optimization.
But I’ve never actually run a campaign. Never been the one responsible for keeping players engaged, managing the chaos, making sure everyone’s having fun.
So naturally, my first campaign is at my job. My players are my coworkers and bosses. Aaaaaaand I have no idea if this is going to even work.
The Problem: Compliance Isn’t Culture
Teaching teachers is a tough room.
I say this with love—I was a teacher for 15 years. I know what it’s like to sit through mandatory PD that has nothing to do with your actual job. I know the art of looking engaged while mentally planning tomorrow’s lesson. I know the collective sigh when someone says “now we’ll break into small groups” or “let’s do a think-pair-share”. Yuck.
So when I took over security awareness for my district, I tried to be realistic. Mandatory async video training, quiz at the end, everyone completes it, HR gets their checkboxes. Compliant.
People kept clicking phishing emails.
Not because they’re dumb. Because watching a 25-minute video once a year doesn’t change behavior. They completed it to make the reminder emails stop. The knowledge was never theirs.
I went looking for something better. Found a vendor offering free K-12 security training. The content was…fine. Generic. Blah. Didn’t account for the fact that my staff are juggling parent calls, student crises, and seventeen tasks before lunch. And the hoops I had to jump through just to access the “free” training? Not worth it.
Here’s what my dummy brain finally figured out: compliance isn’t culture. You can check every box, pass every quiz, and still have people clicking malicious links because they’re busy, distracted, and don’t think security is their job.
We don’t have a security team. We have me. The only way to scale is to build awareness into the culture—which means empowering the people already here.
Why a TTRPG Framework?
I’m AuDHD. My brain doesn’t do weird, ambiguous, open-ended tasks. “Improve security culture” is like navigating a maze with no walls. I’ll wander, get distracted, end up reorganizing my desk.
But give me a character sheet? Those sweet six bounded stats and a clear progression system? Suddenly I can think.
That’s the thing about D&D (and BG3, my particular vice). Character creation doesn’t paralyze me. It focuses me. I can see strengths and weaknesses. I can plan a badass build. I can make decisions.
So being the obsessive person I am, I asked myself: What if security awareness wasn’t a course? What if it was a campaign?
Quests instead of modules. XP instead of completion percentages. An actual narrative arc instead of once-a-year compliance theater. Inject my special interest into every aspect of my life!
The Design Principles
Voluntary over mandatory. Forced training breeds resentment fr. I’d rather have 5 engaged champions than 50 reluctant conscripts clicking through videos to make IT leave them alone.
Peer influence over top-down enforcement. When the most trusted person in the office asks “did you verify that caller?” it lands different than another policy email from IT. From me. Security culture spreads through relationships.
Quests over modules. Passive videos don’t change behavior. Practical tasks do. Report a real suspicious email. Practice saying “let me verify that and call you back.” Lock your workstation every time you step away for a week. Yes, EVERY TIME. Small actions become habits.
No fear-based testing. I’m running simulated phishing and social engineering—“red team trials.” But my champions know the trials are coming. They just don’t know when. Builds vigilance, not anxiety. When someone falls for one, it’s a teaching moment, not a gotcha.
Practice before crisis. Leadership’s first incident response shouldn’t be during an actual incident. The campaign ends with a tabletop exercise—a practice run while stakes are low.
What I’m Launching
The players: 3-5 staff who opt in as Security Champions. I’m looking for natural skeptics, people who notice when something’s off, connectors trusted across departments. They don’t need to be technical. They need to be the kind of person others actually listen to.
The structure: 12-week campaign with weekly quests. Some quests are one-time (set up a password manager). Some are ongoing (report 3 suspicious emails over 30 days). Some are social (help a colleague with something security-related).
The progression: XP for completed quests. Ranks unlock as you level up. Visible progress tied to real skills.
The trials: Phishing emails, pretexting calls, maybe a tailgating attempt if I can find a friend willing to do it for me. Champions know these are coming—the goal is practice, not punishment.
The boss battle: April. 90-minute tabletop incident response exercise with leadership and champions together. Walk through a scenario—ransomware, data breach, whatever—and practice our response as a team.
The budget: ~$150 for snacks and small rewards, plus my time and whatever sanity I have left.
Session Zero Is Next Week
Yoooo I’d be lying if I said I wasn’t nervous.
What if nobody wants to participate? What if my champions are too busy, too skeptical, too checked-out to engage? What if I’ve built this whole-ass elaborate system and it just…flops?
Cybersecurity has taught me to embrace failure in a way I never did before. You’re supposed to break things. Red teams exist to fail forward. I know this intellectually.
But that first wave of oh no oh no oh no is hard to get past. RSD doesn’t care about cultivating a growth mindset lol
Every Friday while I write and work from another table, I casually observe my kid’s D&D campaign at a local coffee shop. Their DM runs a table of sugared-up middle schoolers after a full week of school. She keeps them engaged for FULL 90 minutes. Brings it back to task while keeping it fun. Adapts when they go off-script. (Which is always, they’re tweens and teens everything is six SEVennnnn)
If that DM can handle that chaos? I totally can handle this.
Follow the Campaign
This is post one of a series. I’m documenting this in real-time—partly for accountability, partly because other solo IT folks might find it useful.
Next: Mid-campaign check-in. What’s working, what’s not, whether I’ve had to rewrite everything on the fly. (Probably. That’s what DMs do.)
After that: Post-campaign debrief. Results, lessons learned, and whether this thing is worth packaging up for others.
If you want to see whether I pull this off or spectacularly TPK my own security culture, follow along on Bluesky, my babies: @accidentalitguy.bsky.social
Roll for initiative. I’ll let you know how it goes.