LINDDUN GO - instructions
Gather a group of 2 to 5 people who want to assess the privacy of a software architecture.
Create a model of the system you want to analyze. Make sure it contains at least elements that correspond to the hotspot types used by LINDDUN GO (inbound communication, outbound communication, processes, storage and retrieval actions) as you will need to iterate over each of these in the next steps.
Take turns picking a card. For each drawn card, take turns to identify a relevant applicable threat.
Read the drawn card
Systematically iterate over each corresponding hotspot on the system diagram and answer the two questions. (If you are uncertain about the answer, assume 'yes')
Q1(could it be done?) helps to determine whether the prerequisites of the threat are fulfilled and the threat could occur.
Q2 (would it be a problem?) helps to assess whether the threat is actually applicable.
When you can answer 'yes' to both questions for one specific hotspot, you have found a threat. Great! Don't forget to document it.
Continue iterating over the other applicable hotspots until no one can identify any new threat that corresponds to the card (i.e. you finished an entire round without newly identified threats).
You are finished when all cards are examined.
Quick - Only the card drawer elicits an applicable threat. No group iteration over each card.
Time-boxed - Time-box the exercise (or limit the number of cards) and do multiple threat modeling sessions
Fun - Turn it into a game and earn points for each identified threat
Solitary - use the threat type cards as input for an individual privacy threat elicitation exercise.
Freestyle - Only use the LINDDUN GO category cards to ideate privacy threats. (Note that this requires sufficient privacy expertise to be executed successfully)
Tips & Tricks
Discard non-applicable hotspot cards in advance or on the spot, i.e. when you draw a card with a hotspot that does not apply, you can discard it and pick a new card.
When you take turns to identify additional threats that correspond with the drawn card, you might end up with a joint group discussion (rather than taking turns). This is of course also fine. Just make sure everyone is able to pitch in.
Don't forget to shuffle the cards before you begin! The random order might inspire you to threats you might miss when you go through the deck category per category.
With a larger group (4+ people) it can be useful to assign 1 person as moderator to coordinate the elicitation discussion.
In addition to the card deck used to randomly select a threat type card, you can have additional deck(s) at hand as reference material for the other participants to read along.
Want to know more?
LINDDUN GO threat type cards
Threat type cards describe potential threats that can occur.
Each card is structured as follows:
Threat modeling typically uses data flow diagrams (DFD) as system model representation. While a DFD is a very simple model with only 5 main element types (entities, data stores, processes, data flows and trust boundaries), it can be considered as overhead to create (because it needs to adhere to some basic rules, because other model representations already exist, etc.)
Hotspots are inspired by privacy-sensitive DFD interaction types, however LINDDUN GO does not require a specific model representation. It can be a DFD, but also a client-server view, BPMN, a white-board sketch, or even a list of processing activities. As long as the system description contains at least information on each of the hotspot types: input and output flows to the system (including involved actors), processing operations and storage components (store and retrieve operations). For optimal use, also the types of information being communicated, processed and stored should be documented.
These hotspots types are assigned to each threat type card and scope your search for applicable threats to those places in the system were the threat is most likely to occur.
LINDDUN GO targets 5 main hotspots that describe actions in the system.
Data enters the system.
A subtype of this hotspot describes an inbound flow with a user (i.e. human actor) as sender.
Data are being persisted in storage.
Data leave the system.
A subtype of this hotspot describes an outbound flow with a user (i.e. human actor) as recipient.
Data are being retrieved from storage.
Data are being processed internally.
Hotspots can also have additional constraints regarding the type of data involved.
P indicates that personal data are involved.
C indicates that user credentials are involved.
For example, when a user sends personal data to the system, this is depicted as follows:
For most threat type cards, these hotspot types will be specified even further by describing the type of data involved (e.g. only when personal data or credentials are involved), type of actor involved (e.g. a user is part of the interaction), etc.
The hotspot descriptions on the cards also have a textual explanation to further clarify the scope.
In contrast to security threat modeling where the main concern is to protect against a misactor who attacks the system, privacy threat modeling often concerns organizational threats where the organization (or an authorized user of the system) misuses personal data in a way that violates the data subject's privacy.
LINDDUN GO considers 3 main threat sources:
External attacker: Misactor external to the system, who has gained access to (or can observe) communication or stored data (typically without authorized, unless specified otherwise).
Organizational: Either the organization as a whole does not respect the data subject's privacy (i.e. by collecting, processing, storing or sharing personal data in a privacy-violating way) or an authorized employee/user (ab)uses personal data in a privacy-intrusive way.
Receiving party: Receiving end of the communication, or future receiving end (follow the interactions to see where the data can end up).
What are the differences between LINDDUN and LINDDUN GO?
LINDDUN provides support for a more comprehensive privacy assessment (and documentation), while LINDDUN GO is scoped to focus on the most likely hotspots and threat types.
In addition, LINDDUN GO provides more information about each threat type which eases the ideation of relevant privacy threats.
Finally, the LINDDUN GO threat types consist of updated content. (A similar update is ongoing for LINDDUN as well)
Do I need to be a computer scientist to use LINDDUN GO?
No. Of course you will need to have a basic understanding of how a system roughly works, as a model of the system architecture will be the basis of the analysis. LINDDUN GO was however designed to be used by an interdisciplinary team of stakeholders.
Do I need to create a DFD to apply LINDDUN GO?
No. Any representation of the system that allows you to quickly locate the LINDDUN GO hotspot types (inbound communication, outbound communication, processing operations, storage and retrieval) will suffice. This can be a DFD, but also a white board sketch, client-server view, BPM, etc.; as long as the model can represent each of the hotspots.
Why is Disclosure of information not included in LINDDUN GO?
Disclosure of information is actually a security category. As privacy relies heavily on security, a security assessment of the system is required anyway. LINDDUN GO therefore focuses solely on core privacy concepts, but we advise to do a security assessment in parallel (for example, by applying STRIDE).
How can I be sure I identified a threat that corresponds (only) to the threat type card I am examining at that moment?
You can't, and that's ok!
LINDDUN GO is not intended to provide categorization support, but to help you elicit useful threats for your system. If you identified a threat after reading a threat type card: great! Even if it does not precisely map to the card, or (also) corresponds to another card.
In fact, LINDDUN GO cards can contain some overlap with other cards. Several cards are, for instance, a subtype of others as we believe they are worth highlighting to help trigger the discovery of related threats.