Hi
As a teacher on software security I am teaching the art of threat modeling and this I find very interesting to do based on a gamification way as it is making it a way not to forget a particular thread itself and it makes adopting thread modeling fun, what is your opinion on this?
For security thread modeling there are plenty card games available, but I use “Elevation of Privilege: the Threat Modeling Game” and “OWASP Cornucopia”
For privacy thread modeling I use the LINDDUN GO cards
Hey Dimitri, just thought I would mention, as you already use the EoP game from Adam Shostack, maybe you could benefit from knowing about Brett Crawley’s book, which acts as a guide for the game. It is helpful for real-world examples - Threat Modeling Gameplay with EoP: A reference manual for spotting threats in software architecture: Amazon.co.uk: Brett Crawley: 9781804618974: Books - happy threat modeling!
Thanks for sharing this, I just bought the book 
I want to start off and say I am a fan of the work of EoP. That being said I think we can start taking the next step as an industry from gamification (Adding game elements/fun to existing learning activities) compared to a game (Fun is baked into the experience). It is like we don’t like bolting on security into our application. I see it gamification sometimes as bolting on fun to training.
The benefit of a game is it can be done without needing a skilled practitioner to facilitate and does not require existing work project to do as it is self-contained. This enables the experience to be shared in a more diverse setting (conference, home, etc) with a more diverse group of people (They do not need to have a shared work project).
There is a place for both. A game is good for creating wider approachability to the topic, and then gamification helps with getting concrete work done. We struggle as an industry to get people through the door with a smile, which is where I see games coming into the picture.
I have developed a game called Byte Club that allows people to experience the cyber kill chain and NIST Cybersecurity framework. I am working with Agile Stationary now to publish and should be generally available this November. This is the “early access” page to see me more. BYTE CLUB
I totaly agree with you, also interested to know more on Byte Club, seems something I can use in my courseware for security essentials
Byte Club is really good. We had a public round at the latest ThreatModCon and much fun was had.
I have been using as a way for threat modeling for a non-technical audience. As the cyberkill chain and NIST cybersecurity framework break down the mindset into smaller chunks I find it is more approachable then a STRIDE etc which target a more technical audience.
I have been running something I call a Cyber Book club internally. Take a news article and break it down with the cyber kill chain, and then we discuss together how to apply the NIST cybersecurity framework. The intention is to build critical thinking skills about cyber across the company rather then relying on cybersecurity to provide a check list of things to do (which is impossible as it is a moving target).
I recently posted a LinkedIn article on my methodology and why I take this approach. LinkedIn Login, Sign in | LinkedIn
For the record Izar won the first public game ever
I realize I put the wrong link to my LinkedIn article explaining more. I tried to edit the post but kept giving me a weird error : Cycle of Cyberwarfare
Is there any way to do more of these games virtually?
Actually just finished making Byte Club on Tabletopia. You can check it out here.
allready bought and received them, just searching for a play buddy
@dimitri.redant that is the intent of the virtual copy of the game. You can broaden who can play with by doing it online. The main goal is to get more people playing to spread the learning goal and fun of Byte Club. That is why the digital copy is free to play. If people get what they want from the digital copy that is fine with me.
That being said I still think the best experience will always be in person with a physical copy.
I also designed it to be a game first, so you can just play with your friends and family or at conferences. They do need need cyber experience to play, that is actually the point.
Thanks for the support.