top of page


The basics: threat cards, hotspots, elicitation questions

The LINDDUN GO approach is simple: The most common privacy threats are depicted in 34 threat type cards, which come in 6 suits, representing the main LIND(D)UN threat categories. Each card summarizes its threat type and provides useful information for further guidance. As a team, you take turns in picking cards and brainstorming whether the card highlights relevant risks to your system.

If yes, you document these threats for future mitigation discussions.

Card template

The card template is designed to help you during the iteration process.

  • It depicts the system hotspot where the threat occurs (in/outbound communication, processes, storage and retrieval actions).

  • It depicts the threat source (organizational, external, receiving party).

  • It poses two questions to help you determine if the threat is applicable.

  • It gives some examples of the threat and its possible consequences.

Make sure you have a simple system sketch at hand, containing all elements that correspond to the hotspot types.


Gather a group of privacy enthusiasts.

A system architect, a DPO, a CISO, a software engineer, a legal advisor ...

Draw a sketch of the system that you want to threat-model, including elements that correspond to the hotspot types: in/outbound communication, storage and retrieval actions, processes.
You will use this sketch throughout the assessment.

Take turns picking a random card. For each drawn card, take turns in identifying potential privacy threats.

  • Read out the drawn card.

  • Systematically iterate over each corresponding hotspot in the system sketch and answer the two elicitation questions on the card. If unsure, assume ‘yes’.  

    • Q1 – Could it be done? Q1 helps you determine if the prerequisites of the threat are fulfilled and the threat could occur.

    • Q2 – Would is pose a problem? Q2 helps you assess if the threat is actually applicable.

  • If both questions for one particular hotspot are affirmative, you’ve identified a threat. Document it.

  • Proceed with iterating over the remaining hotspots until no one can identify any new threats for this particular card.

The exercise is finished when you’ve examined all selected threat cards.

System sketch and hotspots

A prerequisite for correctly using LINDDUN GO is to have a simple sketch or model of the system under assessment.

Any visual representation of the system is workable, as long as it includes the system hotspots, i.e. where threats usually originate.


LINDDUN GO defines 5 hotspots or system interactions:

  • data flows to the system - inbound

  • data flows from the system - outbound

  • data storage actions

  • data retrieval actions

  • data being processed in the system


To guide you through the threat modeling process, each threat type card depicts the applicable hotspot as well at threat source.

Contrary to security threat modeling where the main concern is to protect against outsider threats, privacy threat modeling often concerns insider threats. In fact, data privacy is often compromised by the organization as a whole or by authorized system users, even if it is not intentional.

LINDDUN GO considers 3 threat sources

  • External attacker: malicious outsider who’s able to access or observe communication or stored data.

  • Organizational: either the organization as a whole does not respect the data subject's privacy (i.e. by collecting, processing, storing or sharing personal data in a privacy-violating way) or an authorized employee/user (ab)uses personal data in a privacy-intrusive way.

  • Receiving party: receiving end of the communication or future receiving end.

bottom of page