Elevation of Privilege (EoP) Threat Modeling Card Game

Threat modelling is the beginning of the process of identifying the work needed to make something more secure. The Elevation of Privilege (EoP) card game was created by Adam Shostack to introduce developers who are not information security practitioners or experts to the craft of threat modeling.

View Product

What's in the deck?

The Standard deck contains 88 cards with 78 threat cards which contain cyber security anti-patterns which supports players as they attempt to find validated security flaws in a system. The cards are arranged in six suits based on the STRIDE mnemonic, giving players a framework for thinking specific actionable examples of those threats. The extended privacy edition contains 102 cards with an additional 13 privacy anti-pattern cards helping developers to spot common privacy and data handling errors as well. 

STRIDE Pnemonic:

  • Spoofing - Impersonating something or someone else.
  • Tampering - Modifying data or code.
  • Repudiation - Claiming not to have performed an action.
  • Information disclosure - Exposing information to someone not authorized to see it.
  • Denial of Service - Denying or degrading service to users.
  • Elevation of Privilege - Gain capabilities without proper authorization.

    The game was released in 2010. It is a gorgeously produced design at the centre of a gamification of a security checklist, modelled after the game
    called Spades. Adam wrote a white paper which explains the objectives and design of the game and his motivations for creating it. So if you're looking for ways to engage your developers in finding security flaws in their own designs before they leave the whiteboard, then the Elevation of Privilege game is a fun and effective way to draw devs into threatmodeling.

How to play Elevation of Privilege?

Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3-6 players. Play starts with 3 of tampering. To play a card, each player reads their card, announces the threat and records it. Each round is won by the highest card played in the suit that was led, unless an Elevation of Privilege (EOP) card is played. In that case, the high value EOP card wins.

With teams working remotely all around the world, we've also prepared a guide that aims to provide a framework for facilitators to setup the game through video calls using physical cards. 

For remote teams

  • Send out physical decks to every member of the team. Agile Stationery can help pack and ship for you, or you can order in bulk to your own address and ship them onwards. 
  • One or more team mates collaborate to produce or update a suitable diagram of the system, such as a data flow diagram. 
  • A Games Master randomly generates "hands" of cards for each player using Croupier, the online hand-dealing tool for EoP and Cornucopia. 
  • The Games Master books the meeting and sets up the video call. The calendar invitation will contain every player's hands. 
  • Share the system diagram on the video call.
  • Players work in rounds to beat each other at matching the most serious threat to the system diagram, using the normal game rules. 
  • The Games Master records where the threats were found and uses your organisation's normal systems to manage the work of checking up and mitigating the threat. 
  • Scores are calculated and a winner is declared

Play the Elevation of Privilege Card Game with its Inventor, Adam Shostack

This is an opportunity to experience, first hand, a game of Elevation of Privilege supported by the games inventor - threat modelling expert Adam Shostack. Working in a small group, you'll play the game online using physical cards and find threats in a sample system architecture.

Event details

Why play the game with physical cards?

A key reason Elevation of Privilege was designed as a box of cards was because "as a physical item it draws attention, and allows people to point at it in ways that are potentially awkward with a screen."  (source:EoP Whitepaper by Adam Shostack). This remains important even as we work remotely. The deck serves as a constant reminder to threat model. It acts as a compact reference even for years - like a well thumbed thesaurus!

Online tools are designed to play out over a short period of time. Perhaps an hour or two at the most. The experience of playing remotely with a physical deck is likely to engage players in the subject matter for around a week. If you play more than once per project then engagement with the material could last as long as the project does, or even for years if you have durable teams using the game.

So don't battle to stop devs put insecure systems into production. Draw them in, and have them find faults with their own designs before they leave the whiteboard. Try out the Elevation of Privilege game and deliver more secure systems earlier in the development phase. 

Subscribe and 20% off your first order!