At the FT, engineering and product-teams span a wide variety of technologies, backgrounds and levels of security awareness. While the organisation already had checklists and standard security reviews, these methods proved insufficient for two key reasons:
- Different teams have different domains, expertise and jargon. That means security processes often become technical check-boxes rather than collaborative explorations of how something might go wrong.
- The FT recognised that a generic checklist, while useful as a baseline, does not suit environments with rapidly evolving architecture, diverse platforms and shifting operational models.
The Solution
FT introduced a game-inspired threat modelling session, utilising the Elevation of Privilege card game. They adapted the method as follows:
- Each participating team prepared a system diagram in advance and nominated at least three members (including someone to observe and record).
- The session is introduced with intentional framing: this is not about blame or criticism, but about learning how the system works, where threats might materialise, and how to collaborate across roles.
- A “game board” is the system diagram; the facilitator presents cards from the EoP deck (e.g., “Spoofing: An attacker who gets a password can reuse it”). Participants explore where that scenario applies in their system architecture.
- The session encourages participation from all attendees, quieter members are given space, and builds trust so that teams feel comfortable sharing.
The Outcomes & Value
- Teams gained a deeper understanding of their systems, not just what components exist, but how attackers might exploit pathways and how different roles connect. FT reported that they were “learning more about the systems that teams build” and that relationships between security and engineering strengthened.
- Participation and dialogue improved: the game context made teams more willing to engage, ask questions, and contribute.
- The process produced concrete follow-up actions: session notes were converted into stories in their project tracking system (e.g., JIRA) so threats identified became real tickets and remediation work.
- The remote variation proved that even game-based threat modelling can be effective when teams are distributed, mitigating a key barrier for many organisations.
This case illustrates a compelling use-case for game-based threat modelling: the method helps teams break down siloes, engage in active thinking about threats, and convert insights into tangible security actions.
This case study is informed by the Financial Times’ own write-up of their threat modelling initiative.
