Author:

Abstract:

With privacy becoming a key concern in modern society, it is important that privacy measures are strongly incorporated whenever digital data are involved. Unfortunately, privacy is often neglected when engineering software systems and only introduced as an afterthought. Retrofitting privacy concerns in an existing system is however not straightforward. In recent years, a different attitude towards privacy has emerged, which is known as 'Privacy by Design.' One of its core principles states that privacy should be embedded in the early stages of the software development lifecycle, rather than having it as an add-on. Hence, privacy should become an essential component in the software development process.This thesis adheres to the Privacy by Design paradigm as it proposes and validates LINDDUN, a privacy threat modeling methodology that helps software engineers with limited privacy expertise to introduce privacy early on in the software development lifecycle.LINDDUN is a model-based approach that leverages a data flow diagram (DFD) as representation of the system to be analyzed. This DFD will serve as basis for the analysis, as each of its elements is systematically examined thoroughly for privacy threats. The methodology is also knowledge-based. It provides an overview of the most common attack paths associated with the set of privacy threat categories contained in the acronym LINDDUN (Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance). The attack paths are represented as threat trees that detail possible causes of threats. Each tree presents the attack paths that are related to one threat category which is applied to one particular DFD element type (entity, data flow, data store, or process). LINDDUN is not a single off-the-shelf technique that you can plug-and-play. It is a reasonably complex methodology and its success is affected by the interaction between the analyst and the methodology itself. Therefore, in order to validate LINDDUN and its applicability, we did not merely look at the methodology itself, but we also investigated this human-methodology dependency and reflected upon it. We performed a multi-faceted, empirical validation of LINDDUN comprising three studies involving analysts of different seniority to evaluate its ease of use and overall performance. As a final contribution, we enhanced the LINDDUN methodology based on the empirical results. The main changes include an update and extension of the threat trees and their descriptions, and a repositioning of the security threats.