You add a parameter to the SqlCommand object like so;
cmd.Parameters.AddWithValue("@privillege", privillege);
also don't forget to change the SqlCommand.CommandType to stored procedure e.g.
cmd.CommandType = CommandType.StoredProcedure;
However in your case with the query as specified you can't use parameters as you are using IN as part of the WHERE clause you can't pass parameters for use in this case.