At Agile Stationery, we often face the challenge of explaining how simple, affordable paper products like "Elevation of Privilege" can play a crucial role in solving complex and urgent problems such as cybersecurity. The reasoning behind this connection is extensive, and the pioneers who paved this path are not always available to explain themselves
This is why it was a significant moment when two leading figures in our community, Adam Shostack and Mark Vinkovits, delivered an insightful speech at the AppSecCali conference a few years ago. Here are some key takeaways from their talk:
Introduction to Elevation of Privilege
Elevation of Privilege is a card game designed to teach and facilitate threat modeling. It provides a structured approach to identifying and addressing security threats, making it an effective tool for both beginners and experts in the field.
The game’s evolution includes the integration of privacy elements, resulting in a new methodology called STRIPED, created by Mark Vinkivits during his time at LogMeIn. Mark's team was regularly playing EoP and integrating privacy into the game helped address the organisation's privacy concerns in a way that built on existing security practices that worked with their agile methodology.
The Importance of Threat Modeling
Threat modeling is a critical practice in any security program. It involves systematically identifying potential security threats and determining how to mitigate them. However, newcomers often face challenges in getting started with this complex task.
Traditional advice like 'think like an attacker' and 'brainstorm' lacks the structure and guidance needed for effective threat modeling. Extensive threat libraries, while useful, can be overwhelming without adequate time and experience.
Bridging the Knowledge Gap
Adam's comprehensive Threat Modeling book, while valuable, is not beginner-friendly. Experts in the field often operate in a state of flow—engaged and playful in their exploration of ideas. For novices, the challenge can be daunting without a corresponding increase in skill. The result is leading to anxiety for beginners or boredom for experts.
To bridge this gap, parallels can be drawn to video game design, where players gradually build skills through increasingly challenging tasks. This approach can be applied to threat modeling, creating an engaging and effective learning experience, while delivering real value.
Four Key Questions in Threat Modeling
When approaching threat modeling, consider these four key questions:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good job?
There are various ways to address these questions. Elevation of Privilege was created as an easy entry point into threat modeling. Starting with something as simple as a whiteboard diagram, participants can quickly get involved and learn by playing the game.
Practical Application
After drawing a basic diagram, participants sit down and play the Elevation of Privilege card game. This game guides them through the process of identifying and addressing potential threats, providing a hands-on, interactive way to learn and apply threat modeling principles.
Why are games good for cybersecurity?
Games offer a unique and effective approach to cybersecurity by capturing attention and fostering engagement, which is ideal for involving developers and operations staff.
They help participants enter a state of flow, enhancing productivity during threat modeling sessions. Games ensure inclusive participation, encouraging even reserved team members to engage.
"...the act of playing gives us permission to behave differently than we might otherwise be in a meeting.", Adam Shostack
The game setting allows for safe exploration and questioning, even challenging senior developers without hierarchical constraints. Games like Elevation of Privilege produce actionable threat models, making them practical for real-world cybersecurity.
This session highlighted how simple tools like the Elevation of Privilege card game can effectively demystify complex cybersecurity concepts, making them accessible and engaging for both beginners and experienced professionals. By fostering an environment of playful exploration and structured learning, these tools help build essential skills and enhance overall security practices.