Skip to content
Agile StationeryAgile Stationery
How to play EoP and Cornucopia remotely

How to play EoP and Cornucopia remotely

Elevation of Privilege and OWASP Cornucopia are great games to help software delivery teams to be more aware of threat models and actively seek out specific threats.

Many of the advantages of the game are cognitive or psychological and we believe that playing the game with physical cards plays to its strengths while playing to human strengths.

3 advantages of playing games in cyber security

Turning it into a game lowers the stakes and provides a safe environment for creative exploration of the security problem.

Assigning threat models to players helps make use of detailed context known to each player.

The Unexpected 
Randomly dealing out threats to players prompts the sharing of tacit knowledge that cannot reliably be located in advance, such as the details of how specific components were programmed and tested.

While we love the fact we have some great threat modeling card games, when COVID hit, we felt we could do more to support remote players. In person, it's really easy to shuffle and deal out cards so that each player has a random hand of cards to play. The random element is important, but is harder remotely, and so we produced an online tool, Croupier, to take care of the shuffling and card-dealing.

How to play security games on a video call

The overall process is as follows:

• Send out physical decks to every member of the team. Agile Stationery can help pack and ship for you, or you can order in bulk to your own address and ship them onwards.
• One or more team mates collaborate to produce or update a suitable diagram of the system, such as a data flow diagram.
• A Games Master randomly generates "hands" of cards for each player using Croupier
• The Games Master books the meeting and sets up the video call. The calendar invitation will contain every player's hands.
• Players work in rounds to beat each other at matching the most serious threat to the system diagram, using the normal game rules.
• The Games Master records where the threats were found and uses your organisation's normal systems to manage the work of checking up and mitigating the threat.
• Scores are calculated and a winner is declared

Why send Physical decks?


Online tools are designed to play out over a short period of time. Perhaps an hour or two at the most. The experience of playing remotely with a physical deck is likely to engage players in the subject matter for around a week. 

If you play more than once per project then engagement with the material could last as long as the project does, or even for years if you have durable teams using the game. A sensible comparison is with a well thumbed thesaurus.

Consider the lifecycle from the players perspective:

• The player receives the deck and looks it over
• The player receives his hand from the Games Master by email.
• They accept a calendar invite to play one game targeting one system. They might get the system diagram at this point too.
• They fetch out their hand ahead of the game.
• The player joins a video call to play the game.

The player will interact with the deck on at least three of these occasions. As soon as the hand and the target system are known to the player, even if the system diagram is not ready, then they will naturally be engaged with trying to match the threat cards to the architecture. This means that in the back of their heads, while working on code, or waiting at the bus stop, your players are already playing.  

The card trading rule

One of the less well-used optional rules in Elevation of Privilege permits players to swap cards mid game.

The great thing about this rule is that threats which players have failed to find in the system diagram might yet be found by players with different backgrounds and knowledge.
How users come to identify a possible trade is not specified. We believe that encouraging players to spend time with their own copies of the game deck and pull out their own hand is an aid to setting up trades.

When sending out the hands, copy them from the tool into the groups calendar invitation so that the hands are not a secret. 

Sending out multiple decks

We appreciate that sending out multiple decks can be somewhat expensive so we offer bulk discounts. We believe that sending out a full deck to every player will give them a far better understanding of the game and they are much more likely to engage with the material in a deep, task focused, and repeated way. Also, consider the business value of finding security flaws.

An investment of tens of dollars for each member of the delivery team could save millions of dollars of lost revenue or fines further down the road. 

Explore our threat modeling tools


Leave a comment

Your email address will not be published..

Cart 0

Your cart is currently empty.

Start Shopping