Privacy is becoming a key issue in today's Industrial Design Engineering. It is of utter most importance that privacy is integrated in the software development lifecycle as soon as possible. LINDDUN is a privacy threat analysis methodology that supports analysts in eliciting privacy requirements. LINDDUN is an explicit mirroring of STRIDE-per-element threat modeling. It stands for the following violations of privacy properties:
Disclosure of information
Policy and consent Noncompliance
LINDDUN is presented as a complete approach to threat modeling with a process, threats, and requirements discovery method. It may be reasonable to use the LINDDUN threats or a derivative as a tool for privacy threat enumerationin the four-stage framework, snapping it either in place of or next to STRIDE.
The LINDDUN threats as a tool can be used for privacy threat inventory.
The LINDDUN methodology is a threat modeling methodology. It helps analysts to systematically consider privacy issues and select enhancing technologies accordingly.
LINDDUN methodology consists of six steps:
Define the DFD
Map privacy threats to DFD elements
Identify threat scenarios
Elicit mitigation strategies
Select corresponding PETS
First, a data flow diagram (DFD) is created which is a structured graphical representation of the system using 4 major types of building blocks: entities, data stores, data flows, and processes.
Each DFD element type is associated with a number of privacy threat categories (7 high-level privacy threat categories were identified: Linkability, Identifiability, Non-repudiation, Dectectability, information Disclosure, content Unawareness, and policy and consent Non-compliance).
To identify the threats that are applicable to the analyzed system, for each building block the threats of the corresponding threat categories have to be examined.
The LINDDUN methodology aids the analyst by providing a set of threat trees which describe the most common attack paths for each possible combination of a threat type and a DFD element type.
Based on these trees, the analyst will document the identified threats using Misuse Case scenarios to describe the possible attacks in detail.
The threats then need to be prioritized according to their risk.
LINDDUN does however not explicitly provide risk analysis support.
The elicited threats can then be translated into privacy requirements.
Finally, LINDDUN provides a list of privacy solutions to mitigate the elicited threats.
In summary, LINDDUN starts with a DFD of the system that defines the system's data flows, data stores, processes, and external entities. By systematically iterating over all model elements and analyzing them from the point of view of threat categories, LINDDUN users identify a threat's applicability to the system and build threat trees.