The purpose of the Security Cards is to facilitate the broad exploration on of potential security and privacy threats to a system with the “security mindset”.
Security Cards identify unusual and complex attacks. They are not a formal method but, rather, a kind of brainstorming technique. With help from a deck of cards (see an example in Figure 6), analysts can answer questions about an attack, such as
Who might attack?
Why might the system be attacked?
What assets are of interest?
How can these attacks be implemented?"
This method uses a deck of 42 cards to facilitate threat-discovery activities:
Human Impact (9 cards),
Adversary's Motivations (13 cards),
Adversary Resources (11 cards), and
Adversary's Methods (9 cards).
The Security Cards encourage you to think broadly and creatively about computer security threats by exploring with 42 cards along 4 dimensions (suits).
The Security Cards can be used for a wide range of purposes and in a wide range of contexts. For example,
the cards could be used by junior engineers to learn about security threats,
by professional software and hardware developers for training and to surface threats in system design, and
by project teams to communicate about potential security threats with management and others.
These detailed activities provide step-by-step suggestions for using the Security Cards in an interactive workshop/training context. The activities can be used "as is" or adapted and extended as needed. While the activities are phrased as engineering training plans, they can be used in other contexts as well.
Have participants consider a specific system.
With that system in mind, ask participants to consider each dimension independently and sort the cards within that dimension in order of how relevant and risky it is for the system overall.
Within each dimension, what orderings are identified?
Is there more than one reasonable ordering?
With Security Cards, the teams of participants exhibited higher effectiveness. Almost all types of threats were found by teams using Security Cards. Incorporate 5 Whys help to prevent false positives.
Have participant consider a specific suite.
With that system in mind and using the entire card deck, have participants explore card combinations from different dimensions to surface possible threats to the system.
Which combinations of cards surface critical threats?
Which surface surprising threats?
Which threats are most relevant overall?
The Security Cards approach to threat modeling emphasizes creativity and brainstorming over more structured approaches, such as checklists, to help users identify unusual or more sophisticated attacks. The method is suitable for purposes ranging from fundamental learning about security threats to aiding professionals in system design.