Talking cyber security, Part Two: practices, policies, scenarios