The Elevation of Privilege game is designed to be the easiest way to start looking at your design from a security perspective. It's one way to threat model, intended to be picked up and used by any development group.
Because the game uses STRIDE threats, it gives you a framework for thinking, and specific actionable examples of those threats.
An Elevation of Privilege game is usually initiated for one of a few reasons. Those include because a group of developers has a system or feature to threat model, because someone wants to learn or teach the skill, or because someone has picked up a copy of the game and wants to explore.
This is a super-set of all non-game motivations to threat model. In any case, it is important to start with a system to be threat modelled, and an architectural diagram of that system should be available. A whiteboard diagram is ideal if participants agree it is reasonably accurate and it shows programs, data flows and data stores. If no such diagram exists, it needs to be created before play starts.
Players need a way to track bugs. Pen and paper is fast and easy.
Play starts by dealing out the entire deck, and ensuring players are familiar with the rules. Shuffling the deck is optional but encouraged because it puts players in mind of a game. Players should be encouraged to put their cards on the table, and arrange them by suit. Players are encouraged to help each other, unless they’re a particularly cut-throat bunch.
Play starts with the player with the 2 of Tampering, and then proceeds clockwise around the table in tricks. Starting with the 2 of Tampering is a design choice, see below.
Each trick is played ‘in’ the suit that was led. That is, each player must play a card of that suit if they have one. Playing a card consists of reading it aloud, and explaining how it applies to the system being threat modelled, and putting it in the centre of the table.
Playing a card where a player knows of a compensating control is less exciting, but still valid, because it allows for discussion of compensating controls, and helps newcomers to threat modelling understand the cycle of discovery and mitigation.
If the player has no cards left in the suit that was led, then they may play a card from any suit. After each player has played a card, the trick is won by the player who has played the highest card in either the suit that was led or in the ‘trump’ suit, Elevation of Privilege.
The highest card is the highest value card played in the suit led, unless there was one or more trump card played. If a trump card has been played, the highest value trump card is the winning card.
A scorekeeper takes note of the threat and who found it. A point is allocated for each threat played, and optionally each brainstormed threat (see design tradeoffs.) The written rule says to only count the highest card which was actually connected to the system being developed, but in practice this is sometimes discarded to give a deeper involvement to beginners.