My shopping cart
Your cart is currently empty.
Continue ShoppingDon't loose physical touch with Elevation of Privilege
As we all continue to work remotely, there are things we increasingly miss about being together in the office. The Elevation of Privilege Card game is a great example of what worked well in a physical workspace with developers getting together in a room to threat model like playing Spades.
01
Turning it into a game lowers the stakes and provides a safe environment for creative exploration of the security problem.
02
Assigning threat models to players helps make use of detailed context known to each player.
03
Randomly dealing out threats to players prompts the sharing of tacit knowledge that cannot reliably be located in advance.
The overall process is as follows:
One of the less well-used optional rules in Elevation of Privilege permits players to swap cards mid game.
The great thing about this rule is that threats which players have failed to find in the system diagram might yet be found by players with different backgrounds and knowledge.
How users come to identify a possible trade is not specified. We believe that encouraging players to spend time with their own copies of the game deck and pull out their own hand is an aid to setting up trades.
When sending out the hands, copy them from the tool into the groups calendar invitation so that the hands are not a secret.
A key reason Elevation of Privilege was designed as a box of cards was because "as a physical item it draws attention, and allows people to point at it in ways that are potentially awkward with a screen." (source: EoP Whitepaper by Adam Shostack). This remains important even as we work remotely. The deck serves as a constant reminder to threat model. It acts as a compact reference even for years - like a well thumbed thesaurus!
The deck itself contains 84 cards with 74 cards dedicated to cyber security anti-patterns within a 6 category framework called STRIDE, making it an excellent source of cyber security content in a compact form.
Online tools are designed to play out over a short period of time. Perhaps an hour or two at the most. If you're using online tools which display a random card one at a time, the players are engaging with the threats one at a time at that point in time only.
Playing remotely with a physical deck engages players in the subject matter for much longer than that. You receive the deck. You go through it as you fetch your hand. You're engaged before the game has even started. You're engaged for longer, thinking about the cards in the back of your head, while working on code.
Convinced to invest in a deck of cards that could change of the face of security in your development team, then explore our cyber security range here. An automatic discount of 20% will be applied when you buy 3 or more decks for your team.
Explore the gamesSubscribe for newsletter