This case study focuses on ZHAW Zurich University of Applied Sciences, where Elevation of Privilege was used within continuing education and advanced security courses. The objective was to help students understand and apply threat-based security thinking in a practical and repeatable way, moving beyond isolated examples of vulnerabilities.
The Challenge
Teaching threat modelling in an academic setting presents a familiar problem: students are often introduced to vulnerabilities and attacks, but struggle to organise them into a coherent mental model. Without structure, threat discussions can become abstract, inconsistent, or overly theoretical.
The aim was to give students a framework they could use repeatedly, not just to learn terminology, but to reason about threats systematically and apply that reasoning in workshops and exercises.
Why Elevation of Privilege
Elevation of Privilege provided a clear, tangible way to introduce STRIDE (and STRIPED when privacy was in scope). Rather than treating threat categories as abstract concepts, the cards made them concrete and easy to reference during discussions.
This allowed the instructor to anchor security teaching around a shared structure that students could return to throughout the course.
How It Was Used
The cards were integrated into teaching in several ways:
- Concept introduction: STRIDE (and STRIPED) was introduced using the cards as a visual and practical reference.
- Vulnerability analysis: When discussing vulnerabilities, students were asked to identify which threat category applied and whether a corresponding card existed.
- Hands-on workshops: In threat-modelling sessions, student teams were instructed to play the game to identify threats for a given system or scenario.
While the game includes a scoring and winning mechanic, the focus remained on learning and discussion. Competitive elements were allowed where they helped motivate engagement, but they were not the primary goal.
Outcomes & Value
The approach helped students:
- develop a consistent way to classify and reason about threats
- connect individual vulnerabilities back to broader threat categories
- engage more actively in threat-modelling workshops
- move beyond passive learning to collaborative analysis
Using the same framework across lectures and workshops reinforced understanding and made threat modelling feel practical rather than theoretical.
This case shows how Elevation of Privilege works not only in industry, but also in education. By giving learners a structured, repeatable way to think about threats, the game helps build skills that transfer directly into professional practice — preparing students to participate confidently in real-world security and threat-modelling activities.
