Elevation of Privilege Game
The Elevation of Privilege (EoP) threat modeling card game is the easy way to get started threat modeling. Adam Shostack created it in 2010, after hearing Laurie Williams describe Protection Poker.
Play the Game!
The easiest way to get a nice physical copy is from Agile Stationery (direct, or via Amazon). They have a lovely landing page with more information. You can also download the Creative Commons licensed files from Github or Microsoft. Instructions are included.
In the pandemic, one of the questions I get over and over is "how does it work remotely?" I was initially worried, but my answer now is it works great, because we do sessions where we play to learn, and they work. You might think we're biased, and in that case, read what the Financial Times has shared about their experience.
Elevation of Privilige is part of a growing movement of security games. Many people have made games built on EoP, including:
- Croupier, a hybrid physical/video framework for playing on a video call. (Agile Stationery)
- OWASP Cornucopia
- A privacy-enhanced version adding P to STRIDE (STRIPED) by Mark Vinkovits of LogMeIn. The blog post explains and has download links
- A privacy-centered version focused on TRIM: Transport, Retention/Removal, Inference, Minimisation by a team at F-Secure. Their github repo is Elevation of Privacy
Translations and Online Versions
There's also an ever-growing body of translations and plaftform implementations:
- A Japanese translation by Makoto Iguchi, and a German translation by D3tm4r.
- Three online versions (https://elevation-of-privilege.herokuapp.com/ (with source), http://eopgame.herokuapp.com/ and https://eopgame.azurewebsites.net/)
- An Android version by Digital Interruption
- An Alexa Skill by Fraser Scott
There's also a BoardGameGeek description of Elevation of Privilege, and a number of videos showing how to play, including this one by Sunny Wear.