Review - Elevation of Privilege

Cover image

Elevation of Privilege is a game for threat modelling based on the STRIDE Framework. Thread modelling really just means understanding the threats that your system is susceptible to, then using that to protect your system in a risk-based way. Setup is easy as at it's core this is a fairly simple card game. It's open source so you can download and print your own, buy online, or even play a web version online. You probably want to allow 1-2 hours to play through depending on how thorough you want to be, and although offically it's rated for 3-6 players you could still use it as a threat modelling tool with any number of people. The game is fun, but definitely a bit more serious than some others as it has actual work outcomes – i.e. thread modelling your system.

Gameplay

To play the game, you first need to draw a diagram of your system architecture, particularly focused on the security surface area such as communication between components and interfaces in and out of the system. Then play proceeds as follows:

  • Deal out all the cards
  • Play hands (once around the table)
  • Connect the threat on a card to the diagram (if you can)
  • Play in the same suit if you can, high card wins the hand
  • Play once through the deck

Setup

Download or Buy or Play Online

Tips

  • Ensure you have a clear, up to date diagram before starting
  • Do some basic upskilling on threat modelling first to maximise work outcomes
  • Pre-filter the deck for cards that are totally irrelevant to your system to allow the game to run smoother
  • Record the best threats and add to your backlog (if you will actually fix them)
  • Aces are for threats not listed on the cards, not a “win everything” card