Shostack + Friends Blog

 

Power Dynamics in Threat Modeling

On Linkedin, Peter Dowdall had a very important response to my post on remote threat modeling. group office meeting

On Linkedin, Peter Dowdall had a very important response to my post on remote threat modeling. Because comments on Linkedin are a transient resource, I'm going to quote heavily:

The team here ran a session with people in the same room using Miro (maybe 1 remote) and we found it stripped the barriers of either "taking the pen" or calling out threats to a board. That style of threat modelling can make some uncomfortable, resulting in people with great ideas staying quiet.

Being behind a laptop drawing on Miro, we saw more boldness from developers. It has a nice flow to it and allows you to get things down on virtual paper fast...and some of our more creative peoples drawings made it fun, which wasn't an expectation. Just an observation I thought I would share.

This really hit home for me. I aspire to create inclusive ways to threat model, because different perspectives help us discover different problems. I'd like to use Peter's comment to think about power dynamics in threat modeling. I am fond of whiteboards, because whiteboards, for me, are contrasted with an architect controlling a projector with a Visio doc. It's tremendously uncomfortable, shocking even, to elbow them out of the way and start using their laptop to edit.

That's one example of a power dynamic, and Peter brings up another. These are important. They influence the quality of the work. If we want to leverage all the brains in the room, we need to find ways to let people speak and are heard. We need to ensure everyone has both permission and encouragement to engage, and to avoid having the conversation be dominated by one or two people.

There are other power dynamics, including gender and cultural origin, especially the way a culture treats power differentials and respect. (Just to be concrete, imagine the dynamic over a laptop with a man and a woman in each role. Imagine co-workers from Israel, Japan and India, and how each engages.) There's also organizational culture power dynamics, such as stem from seniority, length of time at the company or being part of a profit center or a cost center.

I've talked about one of the useful properties of the Elevation of Privilege game being power leveling: you can record a threat "to get the point," and that's why there's a point system in the game. Another mechanism that can help is surveys as part of addressing "did we do a good job?"

I'm very curious, what else have you seen that helps reduce power differentials and get everyone engaged?

Image via Jopwell.