Lightweight Privacy Threat Modelling using LINDDUN

View the original Working Session content

Description of session

Session on Privacy threat modelling using the LINDDUN framework with Kim Wuyts. This session is twofold. Firstly, it highlights the differences between privacy and security threat modeling, introducing privacy properties and providing an overview of the LINDDUN threat modeling framework. Secondly, it dives into the ongoing LINDDUN privacy threat modeling research, including the lightweight application of LINDDUN.


  • The following are outcomes requested from the LINDDUN research team based on questions posed to the group on what they would want to see:
    • Some specific (as opposed to abstract) examples have been requested from the TM project group to the LINDDUN researchers (Kim), and these will be presented in the LINDDUN research docs
    • Low expertise / lightweight methodology examples requested
  • The LINDDUN project looks to support multiple ‘extraction’ types, please reach out to the LINDUNN team to discuss your preferred ‘extraction’ type.

Synopsis and Takeaways

  • Slides prepared by Kim were presented on the full LINDDUN model and these will be linked once received from the presenter. Slides discussed in depth included:

    • A Privacy Impact Assessment (GDPR requirement) is very similar/ if not the same as a threat model
    • Overview of LINDDUN (Linkability, Identifiability, Non-Repudiation, Detectability, Disclosure of Information, Unawareness and Non-Compliance).
    • Kim presented information on security vs privacy threat modeling and how the mindset differs (comparison is in the slides)
    • An overview of the LINDDUN privacy engineering framework (which follows the familiar 4 question method)
      • Covered LINDDUN threat trees and their usage
      • Covered recent and ongoing privacy engineering research
      • Current research in creating a lightweight model (slides presented)
  • The LINDDUN project team are studying what they should create to support adoption of the methodology (e.g. Cheatsheets, Top 10 privacy threat lists etc.). Please reach out to Kim with feedback.

  • Team briefly discussed cheatsheets and their use and covered:

    • Our cheat sheets should be readable by a novice, condensing the need to know information

Identified Questions

  • How can the Threat Modeling project best support the LINDDUN research work?
  • How does a process that relies heavily on diagrams integrate with current agile ways of working - where ‘good’ diagrams are not always present or are too time consuming to create in the required format?
  • When are people doing prioritisation (do we need to do a cheatsheet linking to OWASP RRM?) -> many are doing applicability in the model, but prioritisation after the model session.
  • When is LINDDUN applicable? Is it in every use case? Is it for certain types of workloads?
  • Can automation support the implementation of LINDDUN? Currently activities highlighted are all manual and require heavy SME investment.
  • Is there an academic study comparing threat model methodologies? (Many people said they would like to read this)

Follow up

  • Get slides from Kim Wuyts (via Steven W - who needs to get a G-drive space from Harold/ OWASP team)
  • Kim to post on OWASP Slack with a questionnaire link


Session organiser(s)


Attached materials: