Elevation of Privilege: Drawing Developers into Threat Modeling

This paper presents Elevation of Privilege, a game designed to draw people who are not security practitioners into the craft of threat modeling. The game uses a variety of techniques to do so in an enticing, supportive and non-threatening way. The subject of security tools for software engineering has not generally been studied carefully. This paper shares the objectives and design of the game, as well as tradeoffs made and lessons learned while building it. It concludes with discussion of other areas where games may help information security professionals reach important goals.

[1]  Gary Klein,et al.  Sources of Power: How People Make Decisions , 2017 .

[2]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[3]  Bernard Suits,et al.  The Grasshopper: Games, Life and Utopia , 1978 .

[4]  J. Overhage,et al.  Sorting Things Out: Classification and Its Consequences , 2001, Annals of Internal Medicine.

[5]  M. Csíkszentmihályi Flow: The Psychology of Optimal Experience , 1990 .

[6]  John B. Rae Engineers Are People , 1975 .

[7]  Clark C. Abt,et al.  Serious games , 2016, Springer International Publishing.

[8]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[9]  Adam Shostack,et al.  Experiences Threat Modeling at Microsoft , 2008, MODSEC@MoDELS.

[10]  Michael Gegick,et al.  Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer , 2009, ESSoS.

[11]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[12]  D. Kahneman Thinking, Fast and Slow , 2011 .

[13]  M. E. Kabay,et al.  Writing Secure Code , 2015 .

[14]  Fred P. Brooks,et al.  The Mythical Man-Month , 1975, Reliable Software.

[15]  Steve Hanna,et al.  Take Two Software Updates and See Me in the Morning: The Case for Software Security Evaluations of Medical Devices , 2011, HealthSec.

[16]  David LeBlanc,et al.  Writing Secure Code , 2001 .

[17]  Jesse Schell,et al.  The Art of Game Design: A book of lenses , 2019 .

[18]  Edwin Pickstone,et al.  ILLEGITIMI NON CARBORUNDUM , 2012 .

[19]  Ross Smith,et al.  The future of work is play: Global shifts suggest rise in productivity games , 2011, 2011 IEEE International Games Innovation Conference (IGIC).