Gamify your threat modeling with Nixu Cyber Bogies

Anne Oikarinen

Anne Oikarinen

Senior Security Consultant and Content Creator

February 27, 2020 at 09:53

Are you thinking about starting to do threat modeling? Are you having trouble identifying potential misuse scenarios? Download our deck of Nixu's Cyber Bogie cards today and gamify your threat workshops!

Cyber Bogies are memorable harm-doers

Cyber Bogies are our gallery of "usual suspects": malicious and otherwise troublesome people that may form some threat for IT systems or processes. The list includes crackers, opportunistic abusers, common criminals, incompetent or annoyed users, insiders, and nation-state operators. The characters are based on stereotypes and caricatures, which make them memorable and easier to understand. We intend to tickle your imagination and help with putting theoretic threats into context.

Cyber Bogies help you identify cybersecurity threats from the systems you are protecting.
Cyber Bogies help you identify cybersecurity threats from the systems you are protecting.

Cyber Bogies are also based on the actual threat landscape. That's why the cards include cybercriminals from Eastern Europe and Latin America, teenager script kiddies, corporate espionage, Advanced Persistent Threat (APT) groups, annoyed or unaware users, malicious administrators, and so on. These are actual phenomena and relevant cybersecurity threats for some, although the attribution may vary, for example, based on the country you live in or where you work. However, we do not want to offend or discriminate against any nationality or ethnicity in any way. For example, "Nigerian Letters" is a type of financial scam and named for its origin, but it is needless to say that it doesn't mean many Nigerians would be involved in scams.

It's easier to talk with your team about the potential harm-doers if they have names. That's why we have Jonne the Script KiddieAidan the Evil Data Scientist, and Lisbeth the Supply Chain Attacker, to name a few. We have attempted to keep the balance between female, male, and unisex names and sincerely hope that no one will be offended by the selection of names even if you find your namesake. For your own use, you can also rename the cards to your liking.

Cyber Bogies help you understand your system's cyber security

To be able to understand the cybersecurity threats that are relevant to the systems you are protecting, you need to understand two things. First of all, what data and resources you need to protect; secondly, you need to understand, who are motivated to attack or who may cause security problems by mistake. The cybersecurity threats we face are different depending on if we are defending a power plant compared to a mobile application for making massage therapist appointments.

Cyber Bogies help you so you won't run out of ideas or when you find it difficult to think like a hacker. You can use Cyber Bogie cards together with the evil user stories technique explained in Nixu's blog Cyber attack motives, part 2: Evil user stories for discovering actionable threat scenarios by thinking, what bad things should not happen.

Cyber Bogie card deck is available in Github

The Cyber Bogie cards are available in Github.

The cards are for you to print and use under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International license. To summarize the most important aspects of the license, you can copy and redistribute the cards as long as you give credit to Nixu and use the cards for non-commercial purposes.

Besides the card deck, the repository contains two example systems that you can use for practicing threat modeling and trying out how the cards work. Example misuse cases have been listed for many relevant Cyber Bogies.

You can also start a friendly battle against your workmates with the simple gameplay and scoring instructions also available in the repository. What an excellent way to spread security awareness, right?

How and when to use Cyber Bogies

You can use Cyber Bogies as brainstorming help in threat workshopsbacklog groomingtest planning, or design meetings. For example, everyone can pick a Cyber Bogie card randomly. Then take turns in explaining to others how this Cyber Bogie would attack the system or why it's not relevant. Discuss briefly and write down the threats you found. Later on, check that you have existing mitigations for the threat scenarios. If you don't, do some investigation and add new security controls to your backlog.

You can also pin the most relevant Cyber Bogie characters to your project room, so they are visible daily. Each time you are planning new features or changes, think what harm the Cyber Bogies could cause.

We are interested in hearing your feedback and how you have used the cards! If you want Nixu to facilitate your workshop, contact us.

 

Would you like to stay up to date with the new cybersecurity trends? Subscribe to the Nixu newsletter.

Related blogs