Privacy is becoming a key issue in today's e-society. It is of utter most importance that privacy is integrated in the software development lifecycle as soon as possible. LINDDUN is a privacy threat analysis methodology that supports analysts in eliciting privacy requirements.

First, a data flow diagram (DFD) is created which is a structured graphical representation of the system using 4 major types of building blocks: entities, data stores, data flows, and processes. Each DFD element type is associated with a number of privacy threat categories (7 high-level privacy threat categories were identified: Linkability, Identifiability, Non-repudiation, Dectectability, information Disclosure, content Unawareness, and policy and consent Non-compliance). To identify the threats that are applicable to the analyzed system, for each building block the threats of the corresponding threat categories have to be examined. The LINDDUN methodology aids the analyst by providing a set of threat trees which describe the most common attack paths for each possible combination of a threat type and a DFD element type. Based on these trees, the analyst will document the identified threats using Misuse Case scenarios to describe the possible attacks in detail. The threats then need to be prioritized according to their risk. LINDDUN does however not explicitly provide risk analysis support. The elicited threats can then be translated into privacy requirements. Finally, LINDDUN provides a list of privacy solutions to mitigate the elicited threats.

Continue Reading »