getting started with go

Ready to assess the privacy of your software system?

What do you need to get started?

  1. A team: include a domain expert, system architect, developer, DPO, legal expert, CISO and privacy champion. A diverse team with varied viewpoints works best.
  2. A system description: a simple sketch or diagram of the software system under analysis. This is needed to have a mutual understanding of the system.
  3. The LINDDUN GO card deck.

Schedule two to three hours to complete the privacy threat modeling process. The more elaborate and complex your system is, the more time you will need.

The basics: threat cards,  hotspots and elicitation questions

The LINDDUN GO approach is simple: the most common privacy threats are depicted in 33 threat type cards, which come in 7 suits, representing the main threat categories: Linking, Identifying, Non-repudiation, Detecting, Data Disclosure of information, Unawareness, Non-compliance. The cards will guide you through the threat elicitation process.

To have a mutual understanding of the system under assessment, you also need a system sketch representing the system’s key elements.

GO is best performed in a structured brainstorming session, where participants take turns in picking cards and discussing the potential privacy issues. Such issues should be documented for future mitigation discussions.

Each LINDDUN GO card illustrates a single common privacy threat and is designed to guide you through the threat identification process.

Card template:

  • Name of the privacy threat
  • Hotspot: indication where the threat may occur in your system model (in- or outbound user/data/flows, processes, storage and retrieval actions)
  • Description of the privacy threat
  • Threat source: indication of the origin of the threat (organizational, external)
  • Elicitation questions: to help you determine if the threat is applicable
  • Consequences and Info: further info to investigate the threat

LINDDUN GO dynamics

  1. The first participant picks a random threat card and puts it on the table so that everyone can see it.
  2. Assess if the illustrated privacy threat forms a relevant risk in the system or to the system users. For each system hotspot, consider the card’s elicitation questions. 
  3. If the threat is possible for a specific hotspot, you have identified a threat. Make sure to document it.
  4. Other participants can join in and report any overlooked threats.
  5. When no one can discover any new threats, the next participant draws a card and starts all over.
  6. The exercise is finished when all threat cards have been discussed for all applicable hotspots in the system description.

      Next steps

      After you have identified potential threats to your system design, you are ready to prioritize them and develop mitigation strategies.