Home » Blog » Security Cards Threat Modeling Method

Security Cards Threat Modeling Method

The Security cards method uses a 'deck' of 42 cards to identify unusual and complex attacks. It is based on brainstorming and creativity, unlike other threat modeling approaches, and was developed to help security teams with studying specific attacks and increasing their knowledge about threats and threat modeling. Cards help to find answers to the questions about future attacks, presumable attackers, their motivation, target systems and the way an attack might be carried out. The deck is used as a kind of a board game to simulate an attack and consider possible responses. The method is very effective in identifying out-of-the-box strategies, which usually remain unrevealed by common threat modeling methods, and help to introduce innovative, wide-ranging perspectives into the threat modeling process.

Cards description

Each card in the 42-card deck contains one of four threat identification activities, questions to speculate over and several examples. The TDA are the following:

Human Impact (9 cards). It describes the impact which real people may suffer as a result of a successful attack and includes the biosphere, emotional well-being, physical well-being, societal well-being, financial well-being, personal data, relationships and unusual impacts.
Adversary's Motivations (13 cards). It is the 'intent' characteristic of a threat and includes access/convenience, curiosity/boredom, desire/obsession, diplomacy/warfare, malice/revenge, money, politics, protection, religion, self-promotion, world view and unusual motivations.
Adversary's Resources (11 cards). It represents infrastructure available to the adversary which can be used to facilitate an attack, and includes expertise, future world circumstances, impunity, inside capabilities, inside knowledge, money, power and influence, time, tools and unusual resources.
Adversary's Methods (9 cards). It helps to consider capabilities or text transfer protocols which an attacker may use to conduct their attack. It includes an attack cover-up, an indirect attack, manipulation or coercion, a multi-phase attack, a physical attack, a technological attack, processes and unusual methods.

How is the method used?

First of all the cards should be distributed (it can be carried out before or during the process). After looking through each one, security team members choose two or more cards and, depending on the activity which the card represents, analyze them and discuss if the random combos can make up a realistic attack scenario. Then, the potential threats to the system are measured, the ways how the system can be attacked, who could cause a threat and the purpose of the threat are evaluated. This is the stage when a lot of brainstorming comes about.

previous post

February 13, 2023

Tools for blockchain security checkup

Blockchains promise a great future and a wide range of opportunities, and all of the participants, users as well as developers, are looking for secure solutions to safeguard their data and assets. Apart from risk assessment testing, blockchain testing help to ensure the quality of products being tested, increasing testing coverage and zeroing risks associated with inadequate knowledge. There are a number of tools used to ensure blockchain ...

Read more
next post

February 16, 2023

NFT basics

NFTs (Non-fungible tokens) continue their triumphant global march. They begin to take part in almost all spheres of life, not only art (music, graphic samples, even books and short stories can be wrapped into a token), fashion industry (brands and logo pieces) and web (including icons in social networks, memes, etc.) but also business and casual items (such as foodstuff or tissues). It's like the world itself is transforming into a large ...

Read more