Draw a diagram of the system you want to threat model before you deal the cards.
Deal the deck to 3-6 players. Play starts with the 3 of Tampering. Play clockwise, and each player in turn follows in the suit if they have a card in the suit. If they don’t have that suit, they can play another suit. The high card played takes the trick, with Elevation of Privilege taking precedence over the suit lead. Only Elevation of Privilege (EoP) or the lead suit can take a trick.
To play a card, read the card, announce your threat and record it. If the player can’t link the threat to the system, play proceeds.
Take few minutes between hands to think about threats.
Threats should be articulated clearly, testable, and addressable. In the event that a threat leads to an argument, the threat should resolve by asking the question: “Would we take an actionable bug, feature request or design change for that?” If the answer is yes, it is a real threat. (This doesn’t mean that threats outside of that aren’t real, it’s simply a way to focus discussion on actionable threats.) Questions that start with “There’s a way” should be read as “There’s a way…and here’s how… ”while questions that start with “Your code” should be read “The code we’re collectively creating…and here’s how.”
The deck contains a number of special cards: trumps and open threats. EoP cards are trumps. They take the trick even if they are lower value than the suit that was led. The ace of each suit is an open threat card. When played, the player must identify a threat not listed on another card.
When all the cards have been played, whoever has the most points wins.
Points: 1 for a threat on your card, +1 for taking the trick