What is privacy threat modeling? A conversation with two experts

Have you ever wondered what the initial steps to ensure data privacy are? Do you ever wonder about the process of identifying threats to privacy? Then let us learn about privacy threat modeling.

What is privacy threat modeling?

Privacy threat modeling is a process of identifying and assessing potential threats to an individual’s personal information. It helps organizations and individuals develop strategies to mitigate these threats and protect data privacy. Organizations often use privacy threat modeling in software development to ensure data privacy.

Podcast with two experts in privacy threat modeling

Recently, I had the privilege of being able to do a podcast with two experts in this field, Dr. Aram Hovsepyan and Dr. Kim Wuyts. Kim is a researcher at the DistriNet group in KU Leuven. DistriNet is a renowned research lab in the fields of privacy and security.  She has been working in the areas of security & privacy engineering and privacy threat modeling for over 15 years. Furthermore, she is one of the creators of the world renowned LINDUNN privacy threat modeling approach, which is used in the National Institute of Standards and Technology  (NIST) cybersecurity framework created by the U.S. Department of Commerce. This framework helps businesses to better understand, manage, and reduce their cybersecurity risk and protect their network and data.

Aram is the founder and CEO of Codific. However, before leading this innovative cybersecurity company, Aram was also a researcher in the DistriNet group. There he also worked in the areas of security & privacy engineering, focusing mainly on privacy & security threat modeling.

Make sure to check out the podcast below! 

Why is privacy threat modeling important?

Coming from a non-technical background I must confess that I had little knowledge about this particular topic before this podcast. Nevertheless, working at a cybersecurity company has sparked my interest in topics surrounding data security and privacy, so I was eager to learn about it. Upon conversing with Aram and Kim, I quickly realized the value and importance of privacy threat modeling. This practice allows one to identify the things that can go wrong from a security or privacy perspective when developing software. Thus, it permits these potential issues to be fixed earlier on in the development lifecycle, which is proven to be more cost efficient. Moreover, it allows for a much better understanding of the risks associated with a particular software project. Understanding the risks and coming with risk scores provides a guideline for organizations to prioritize and deal with these risks.

How does threat modeling appear in our every day lives?

Personally, something that really stood out to me about privacy threat modeling, and more widely, threat modeling in general, is that we all do it even if we are not aware of it.

During the interview Aram made a very good analogy to show this. Imagine you have a flight planned later today. Obviously, you do not want to miss this flight so you are going to consider the different threats that could endanger your ability to take the flight. For example, you could maybe make sure that you arrive at the airport at least 3 hours before the flight, to ensure you get past the check-in and security on-time. Moreover, if you are going by public transportation, you may want to aim to take an earlier train, so in case you miss it you can still make it with a later one. This is a situation I am sure most of us are familiar with, showing that threat modeling is something we all already do. 

How does privacy threat modeling relate to the OWASP Software Assurance Maturity Model (SAMM)?

Moreover, in the interview we talked about the relationship between privacy threat modeling and other security related activities. This was covered by focusing on how it related to activities and processes that should be set in place according to the OWASP SAMM framework. SAMM is a security maturity framework and security assurance program that allows any organization to improve their secure software development lifecycle. This basically means that it is a framework that enables companies to develop software in a secure and privacy aware manner, ensuring the data privacy and security of its users. Codific has built a free tool to implement OWASP SAMM.

We observed that threat modeling plays an important role in this process, particularly during the design phase, however it is vital to consider it within the context of a broader range of activities. Aram states that threat modeling only accounts for up to 10 out of the 90 security-related activities necessary to achieve the highest maturity level recognized by the Software Assurance Maturity Model (SAMM). This highlights the need for organizations to engage in a diverse set of activities to fully ensure the cybersecurity and data privacy of their digital products.Make sure to check out this article to learn more about how SAMM relates to privacy threat modeling. 

What is the LINDUNN privacy threat modeling methodology?

Moreover, in the podcast we talked about the LINDUNN privacy threat modeling methodology which is a world-renowned methodology to carry out this activity. LINDUNN is an mnemonic for the privacy threat categories it supports:

L – Linkability: Adversary is able to link two items of interest without knowing the identity of the data subject(s) involved.

I – Identifiability: Adversary is able to identify a data subject from a set of data subjects through an item of interest.

N- Non-repudiation: Data subject is unable to deny a claim (e.g. having performed an action or sent a request)

D – Detectability: Adversary is able to distinguish whether an item of interest about a data subject exists or not, regardless of being able to read the contents itself.

D – Disclosure of information: Adversary is able to learn the content of an item of interest about a data subject.

U – Unawareness: Data subject is unaware of the collection, processing, storage or sharing activities (and corresponding purposes) of the data subject’s personal data.

N – Non-compliance: Processing, storage, or handling of personal data is not compliant with legislation, regulation, and/or policy.

A further explanation of how the model is implemented to carry out privacy threat modeling can be found here. It was great to have this methodology explained by two of the experts that helped to create it. Make sure to check out the podcast to learn more about it from them.

Where did the LINDDUN framework come from?

The fact that this framework came from the STRIDE framework which is a methodology for security threat modeling drew my attention. STRIDE is also an acronym that stands for: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service (DoS), Elevation of Privilege. More information on this methodology can be found here. 12 years ago, Kim and Aram along with a team of researchers noticed that a methodology like this did not exist in the privacy domain and thus, they started developing LINDUNN. 

How does privacy threat modeling relate to the European Union’s General Data Privacy Regulation (GDPR)?

Additionally, we also discussed how privacy threat modeling related to the GDPR. It was surprising to see that such a reputable legislation appears to be faulty. According to Aram, it appears that the legislators do not know much about data privacy and security. For example, the privacy-by-design paradigm is not clear in what it means. In general, it is a buzzword meant to encourage thinking about privacy properties when developing software. Privacy threat modeling can definitely help with this. Additionally, Aram also talked about his personal experience with the legislation. Companies that violate it may not always face prosecution, even if violations are known.

Kim further mentioned that companies that want to comply with GDPR should not have data privacy as a checklist item. The idea is to push companies to develop a culture of doings things in a privacy and security friendly way. By this means, organizations can achieve GDPR compliance naturally. Additionally, she once again reinforced the usefulness of privacy threat modeling when it comes to complying with GDPR.

If you want to have further information about GDPR compliance in software development then make sure to check out this blog post. 

How does a career in privacy threat modeling look like?

In addition, we also talked about the career path of someone that does privacy threat modelling. Obviously, like Aram and Kim, a career path as a researcher is always an option. Nevertheless, I wanted to focus more on the jobs available in the industry. Usually, security champions or offices are in charge of carrying out privacy threat modeling activities. Thus, generally, privacy threat modeling is not the only thing you do in your job role. 

Nevertheless, Kim does mention that there are consultancy companies that focus specifically on privacy threat modeling. If you were to work in one of these then threat modeling is more likely to be your full-time job. However, in reality anyone can do it although someone with privacy expertise is likely to do it faster and better. 

How does a small company with limited resources carry out privacy threat modeling?

Finally, towards the end of our conversation I wanted to give more practical information for companies that want to use privacy threat modeling. Focusing specifically on small companies that have more limited resources, how can they employ privacy threat modeling? Aram pointed out that for small companies privacy threat modeling should not be a priority. Yet, with training or by reading books about the topic, one can develop simple models. As he points out, a bad threat model is better than no threat model. Kim adds to this saying that even though privacy is not necessarily a priority, companies should minimize their data collection. One should not collect data from users that is not necessary. This also reduces the resources needed to maintain the privacy and security of the data.

In general, the podcast conversation was very interesting and I highly recommend you listen to it as privacy threat modeling is definitely something that every company should be aware of. This is especially true for companies that use private information of users. 

What software do we develop using privacy threat modeling?

Codific is a team of security software engineers that leverage privacy by design principles to build secure cloud solutions. We build applications in different verticals such as HR-tech, Ed-Tech and Med-Tech. Secure collaboration and secure sharing are at the core of our solutions.

Videolab is used by top universities, academies and hospitals to put the care in healthcare. Communication skills, empathy and other soft skills are trained by sharing patient interviews recordings for feedback.

SARA is used by top HR-Consultants to deliver team assessments, psychometric tests, 360 degree feedback, cultural analysis and other analytical HR tools.

SAMMY Is a Software Assurance Maturity Model management tool. It enables companies to formulate and implement a security assurance program tuned to the risks they are facing. That way other companies can help us build a simple and safe digital future. Obviously our AppSec program and SAMMY itself is built on top of it.

We believe in collaboration and open innovation. Therefore, we would love to hear about your projects and see how we can contribute in developing secure software and privacy by design architecture. Contact us.