Simon Gibb 18 January 2022

Successful threat modelling alongside super-assertive developers

You know the type. A brain full of facts, an exceptionally good problem solver, but not especially easy to work with. These people have a need to be the smartest person in the room. Add the fact that they are super proud of their code and know every detail of it, and you will see that a constructive criticism of their creation is going to be a struggle. Let's call them Assertive Ash.

Swag box for Play Secure Conference

There is another type worth worrying about too. The quiet, cognitive, calm and agreeable sort that knows their stuff but tends to be shy around the other one. Let's call this one Quiet Kyle. Let's assume Kyle is also new at the company and regardless of Ash's often unrealistic hubris Kyle actually doesn't have as much context as Ash does. This is the worst case scenario for inclusive facilitation.

While these are obviously stereotypes the chances are you recognise people in your professional world a little like these characters. Think of them. Imagine a meeting around a whiteboard where these two, and a cyber security expert - you, perhaps - attempt to find vulnerabilities in an enterprise software application written by Ash and Kyle. Do you think you will hear much from Kyle?

There are plenty of ways to deal with an assertive character. Ask them closed questions so they finish quickly, and ask open questions to the shy character so they are encouraged to speak their minds. In some cases though, especially if the topic is very complex, turn taking is needed.

For exactly this scenario card games like Elevation of Privilege and OWASP Cornucopia come into their own. The turn based game-play stops one person thinking out loud or taking up all the air, and it also stops the other person falling into a pattern of listening giving them specific times to talk.

Elevation of Privilege is a simple game - with just enough gameplay to encourage a little competition. It's real value is that the cards prompt ideas of things that could go wrong. Each card summarises years of experience of things that did go wrong. Types like Ash get their cards - their set of problems - to deal with, forcing them to consider new perspectives, and to leave space for shy Kyles to work in.

Gamified threat modelling has more "givens", and more structured decisions. Play usually stays in one suit at a time, and a suit represents a certain class of attack. This will allow Kyle to focus, and also to take support from the examples of each attack type in their hand.

There are also two scoring systems, offering a choice of strategy. A player lacking confidence will start often with the most familiar example - using whatever context they have to help them find vulnerabilities. The first scoring mechanism awards points for vulnerabilities, even if the example is a losing card.

The second scoring system rewards the highest value card, so a confident player will pick a higher value card. Because higher value cards can be more complex, they will have a tougher time finding that problem in the system diagram. So if Ash plays to win they will actually be handing over a handicap to Kyle.

As game play continues, both mechanisms are weakened offering a new challenge to all players, keeping them in the zone. Moving from suit to suit also poses new challenges and opportunities for each participant.

These are examples of how adding gamification to a working meeting balances competing concerns and creates a level playing field where the whole team can play their part. Some players find the playful atmosphere also helps overcome shyness, all by itself.

Agile Stationery runs regular Play to Learn events where you can experience a game of Elevation of Privilege with the inventor of the game Adam Shostack and learn expert facilitation techniques to get the best of the game. If you would like to give these sessions a try, please book a place on a public session or reach out to us for details of private events for your team.