Understanding challenges to adoption of the Microsoft Elevation of Privilege game

Abstract

The goal of secure software engineering is to create software that keeps performing as intended even when exposed to an active attacker. Threat modelling is considered to be a key activity, but can be challenging to perform for developers. Microsoft has tried to lower the bar through creating a threat modelling game called Elevation of Privilege (EoP), but anecdotal evidence suggests that it has seen little use in actual development projects. To learn more about challenges facing adoption of EoP, we performed a case study in a university setting comprising several agile development projects. The results show that the game aided in discussing and learning about software security, but the impact on development seems to have been limited. In addition, challenges related to game dynamics, relevance of hints on the cards, and the time needed to play the game, limits the acceptance of the game