Card games makes threat modeling a team-building game. All team members are gathered together with a deck of cards and the data flow diagram of the application. Each card represents one common threat. Take OWASP Cornucopia as an example. The threats are also mapped to industry practices such as OWASP SCP, OWASP ASVS, CAPEC, and SAFECode.

The OWASP Cornucopia defines six suits for the key security areas:

• Data validation and encoding (VE)
• Authentication (AT)
• Session management (SM)
• Authorization (AZ)
• Cryptography (CR)
• Cornucopia (C)

Refer to this link for a DOC or PDF version of the cards: https://www.owasp.org/index.php/OWASP_Cornucopia#tab=Get_the_Cards.

For example, in the Data Validation & Encoding suit card 2, which follows, ...