Elevation of Privilege Game
The Elevation of Privilege (EoP) threat modeling card game is the easy way to get started threat modeling. Adam Shostack created it in 2010, after hearing Laurie Williams describe Protection Poker.
Play the Game!
The easiest way to get a nice physical copy is from Agile Stationery (direct, or via Amazon). They have a lovely landing page with more information. You can also download the Creative Commons licensed files from Github or Microsoft. Instructions are included.
In the pandemic, one of the questions I get over and over is "how does it work remotely?" I was initially worried, but I've learned it works great. I've learned by doing, and you can too. We now do regular sessions where we play to learn, and they work. You might think we're biased, and in that case, read what the Financial Times has shared about their experience, or in Dark Reading, Let's Play! Raising the Stakes for Threat Modeling With Card Games.
Elevation of Privilige is part of a growing movement of security games. Many people have made games built on EoP, including:
- Croupier, a hybrid physical/video framework for playing on a video call. (Agile Stationery)
- OWASP Cornucopia
- A privacy-enhanced version adding P to STRIDE (STRIPED) by Mark Vinkovits of LogMeIn. The blog post explains and has download links
- A privacy-centered version focused on TRIM: Transport, Retention/Removal, Inference, Minimisation by a team at F-Secure. Their github repo is Elevation of Privacy
Translations and Online Versions
There's also an ever-growing body of translations and plaftform implementations:
- A Japanese translation by Makoto Iguchi, and a German translation by D3tm4r.
- Four online versions
- An Android version by Digital Interruption
- An Alexa Skill by Fraser Scott
There's also a BoardGameGeek description of Elevation of Privilege, and a number of videos showing how to play, including this one by Sunny Wear.