Social engineering is the acquisition of informationabout computer systems by methods that deeply include non-technical means. While technical security of most critical systemsis high, the systems remain vulnerable to attacks from socialengineers. Social engineering is a technique that: (i) does notrequire any (advanced) technical tools, (ii) can be used by anyone,(iii) is cheap. Traditional security requirements elicitation approaches oftenfocus on vulnerabilities in network or software systems. Fewapproaches even consider the exploitation of humans via socialengineering and none of them elicits personal behaviours of indi-vidual employees. While the amount of social engineering attacksand the damage they cause rise every year, the security awarenessof these attacks and their consideration during requirementselicitation remains negligible. We propose to use a card game to elicit these requirements, which all employees of a company can play to understand thethreat and document security requirements. The game considersthe individual context of a company and presents underlyingprinciples of human behaviour that social engineers exploit, aswell as concrete attack patterns. We evaluated our approachwith several groups of researchers, IT administrators, andprofessionals from industry.