A descriptive study of assumptions made in LINDDUN privacy threat elicitation

Abstract

Threat modeling is widely adopted and increasingly recognized as an essential step in the secure software development life cycle (SDLC). Focused on privacy-specific threat categories, LINDDUN is a threat modeling framework that allows the identification of privacy-related design flaws at the stage of the initial architecture concept. LINDDUN advocates making explicit any assumptions during the identification and prioritization of privacy threats. These assumptions are in practice documented informally in a free-form, textual format, and the impact, nature and purpose of these assumptions within the context of LINDDUN is not well understood. We present a descriptive study of assumptions made during the application of LINDDUN. This empirical study involves in total 122 threat models created for an IoT-based home automation system and a total of 845 studied assumptions. This study focuses on (i) clarifying the role of assumption-making in the threat modeling process, and (ii) categorizing the types of information provided in these assumptions, and (iii) their relation to the LINDDUN threat categories or more broadly, any privacy-specific concepts. Our results indicate that in practice, (i) assumptions are used to motivate exclusion of potential threats, yet the rationale behind such decisions is often not documented, (ii) many assumption are about the system under analysis, and (iii) a majority is also relevant outside of the specific LINDDUN or privacy scope.