Elevation of Privilege (EoP) Threat Modeling Game

The Elevation of Privilege (EoP) card game is designed to introduce developers who are not information security practitioners or experts to the craft of threat modeling. The game uses a variety of techniques to do so in an enticing, supportive and non-threatening way. Threat modelling is not a whole security solution, but it is the beginning of the process of identifying the work needed to make something more secure.

According to the 2020 DevSecOps report by Gitlab:

"68% of security professionals feel that less than half of developers can spot security vulnerabilities, but most people feel it's a programmer's job to write secure code.
At the same time, nearly 70% of developers said that while they are expected to write secure code, they get little guidance or help. One disgruntled programmer said, "It's a mess, no standardization, most of my work has never had a security scan."

The Elevation of Privilege Card game is an excellent way to bring security into the development process earlier enabling developers to find and fix vulnerabilities in the systems.

Elevation of Privilege Game

View Product

How the Elevation of Privilege works

The game consists of 74 playing cards which contain cyber security anti-patterns which supports players as they attempt to find validated security flaws in a system. The cards are in six suits based on the STRIDE mnemonic. The EoP card game was invented by Adam Shostack during his tenure at Microsoft. The game was released in 2010. It is a gorgeously produced design at the centre of a gamification of a security checklist, modelled after the game called Spades.

Because the game uses STRIDE threats, it gives you a framework for thinking, and specific actionable examples of those threats. Adam wrote a white paper which explains the objectives and design of the game and his motivations for creating it.

Play the Elevation of Privilege Card Game with it's Inventor, Adam Shostack

If you would like to gain experience of actually executing this process, with the best possible support, then sign up to our event on 16th Februray 2021. This is an opportunity to experience, first hand, a game of Elevation of Privilege supported by the games inventor - threat modelling expert Adam Shostack. Working in a small group of just 7 participants, you'll use the game to find threats in a sample system architecture.

Event details

How to play Elevation of Privilege game?

Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3-6 players. Play starts with 3 of tampering. Play starts with 3 of tampering. To play a card, each player reads their card, announced the threat and records it. Each round is won by the highest card played in the suit that was led, unless an Elevation of Privilege (EOP) card is played. In that case, the high value EOP card wins.

Many of the advantages of the game are cognitive or psychological and we believe that playing the game with physical cards plays to its strengths while playing to human strengths.

With teams working remotely all around the world, this guide hopes to provide a framework for facilitators to setup games through video calls using physical cards. 

  • Send out physical decks to every member of the team. Agile Stationery can help pack and ship for you, or you can order in bulk to your own address and ship them onwards. 
  • One or more team mates collaborate to produce or update a suitable diagram of the system, such as a data flow diagram. 
  • A Games Master randomly generates "hands" of cards for each player using the online hand-dealing tool for EoP and Cornucopia. 
  • The Games Master books the meeting and sets up the video call. The calendar invitation will contain every player's hands. 
  • Players work in rounds to beat each other at matching the most serious threat to the system diagram, using the normal game rules. 
  • The Games Master records where the threats were found and uses your organisation's normal systems to manage the work of checking up and mitigating the threat. 
  • Scores are calculated and a winner is declared

Croupier - Generate random hands for remote workers

STRIDE stands for:

NameDescription
SSpoofingImpersonating something or someone else.
TTamperingModifying data or code.
RRepudiationClaiming not to have performed an action.
IInformation DisclosureExposing information to someone not authorized to see it.
DDenial of ServiceDenying or degrading service to users.
EElevation of PrivilegeGain capabilities without proper authorization.