Effective and efficient privacy threat modeling through domain refinements.

Privacy and security are crosscutting in the design of any software system or service, and thus a broad focus on the end-to-end system architecture is required. For this reason, systematic approaches to elicitate security and privacy threats and risks are gaining importance. Such approaches however are highly analytic, require substantial effort and rely extensively on domain expertise. Applying these methods in practice easily leads to the problem of threat explosion, where the effort required to prioritize and consider all threats starts exceeding the benefits of adopting these methods. To address this impediment to practical adoption, we present our approach to improve LINDDUN, an existing privacy engineering method. We create a domain refinement questionnaire, which involves activating and deactivating threat trees nodes by posing specific questions to the privacy engineer or software architect, leading to the a priori exclusion of non-applicable threats from the analysis exercise. The efficiency gain can be strengthened further by incorporating reusable domain knowledge in the approach to instantiate the questionnaire.