Ready or not, the digitalization of information has come and privacy is standing out there, possibly at stake. Although digital privacy is an identified priority in our society, few systematic, effective methodologies exist that deal with privacy threats thoroughly. This paper presents a comprehensive framework to model privacy threats in softwarebased systems. First, this work provides a systematic methodology to model privacy-specific threats. Analogous to STRIDE, an information flow oriented model of the system is leveraged to guide the analysis and to provide broad coverage. The methodology instructs the analyst on what issues should be investigated, and where in the model those issues could emerge. This is achieved by (i) defining a list of privacy threat types and (ii) providing the mappings between threat types and the elements in the system model. Second, this work provides an extensive catalogue of privacy-specific threat tree patterns that can be used to detail the threat analysis outlined above. Finally, this work provides the means to map the existing privacy-enhancing technologies (PETs) to the identified privacy threats. Therefore, the selection of sound privacy countermeasures is simplified.
Realizing privacy-preserving software requires the application of principles such as Privacy by Design (PbD) which require the consideration of privacy early on in the software development lifecycle. While privacy threat modeling approaches, such as LINDDUN, provide such a systematic and extensive assessment of a system's design, their application requires the analyst performing the assessment to have (i) extensive privacy expertise and (ii) sufficient experience with the threat modeling process itself. Hence, there is a high startup cost to apply these techniques. To reduce this initial threshold, more lightweight privacy analysis approaches are necessary.In this paper, we (i) discuss the requirements for early lightweight privacy analysis approaches; (ii) present LIND-DUN GO, a toolkit that supports lightweight privacy threat modeling; (iii) describe the pilot studies that were conducted for the preliminary evaluation with industry professionals.The availability of lightweight privacy analysis approaches reduces the initial effort to start privacy threat modeling and can therefore enable a more wide-spread adoption of system privacy assessments in practice.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.