Elevation of Defenses
Using games to help us explore engineering techniques
Once a month or so, I run an Elevation of Privilege session with Agile Stationery. We spend 90 minutes playing the game, talking about threat modeling, how to introduce it, and showing how to make it work.
One of the reasons I do it is that I learn from the participants, and in a recent session for a bank, I got a new perspective on scoring that I want to share.
Kit M. asked "can we give a point for coming up with a defense?" First: heck yes. You can give points for whatever you want. And you should give points in ways that reward the behaviors you want to see. So, giving a point for a defense is good, and makes me wonder: is the game too focused on offense? Is there a variant where you get points for coming up with threats that are already blocked by the defenses that software engineers have built and tested? Maybe that's a team variant, and we could do something like...
Discovering a threat: 1 point
Noting a potential defense: 1 point
Noting an implemented defense: 2 points
Discovering a variant of the threat that bypasses the defense: 1 point
Explaining how an implemented defense prevents the variant: 3 points
Games are an important tool for engineering — they open the door to playful exploration of possibilities. When playing, we choose to move into a space where we arbitrarily limit ourselves with a set of rules. (Soccer is way easier if you pick up the ball with your hands, but we agree in playing soccer not to do that.) A correlate is that we know we're there to have fun, and it's ok to make suggestions like "what if we change the rules?"
Photo: US Army Corps of Engineers.