Understanding challenges to adoption of the Microsoft Elevation of Privilege game
Chapter
Accepted version
Permanent lenke
http://hdl.handle.net/11250/2571702Utgivelsesdato
2018Metadata
Vis full innførselSamlinger
- Publikasjoner fra CRIStin - SINTEF AS [5866]
- SINTEF Digital [2536]
Originalversjon
HoTSoS '18,Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security, Raleigh, North Carolina, April 10-11, 2018, pp 10Sammendrag
The goal of secure software engineering is to create software that keeps performing as intended even when exposed to an active attacker. Threat modelling is considered to be a key activity, but can be challenging to perform for developers. Microsoft has tried to lower the bar through creating a threat modelling game called Elevation of Privilege (EoP), but anecdotal evidence suggests that it has seen little use in actual development projects. To learn more about challenges facing adoption of EoP, we performed a case study in a university setting comprising several agile development projects. The results show that the game aided in discussing and learning about software security, but the impact on development seems to have been limited. In addition, challenges related to game dynamics, relevance of hints on the cards, and the time needed to play the game, limits the acceptance of the game