Trackr.Live The landing site for Trackr Services
§ Trackr.Live

LINDDUN

LINDDUN is the privacy-focused threat modeling framework developed at the DistriNet research group at KU Leuven in Belgium. The framework provides a structured way to analyze privacy threats during system design, parallel in structure to STRIDE but addressing privacy threats rather than security threats. The seven LINDDUN categories — Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of Information, Unawareness, Non-compliance — give engineers a checklist for thinking through what could go wrong from a privacy perspective when handling personal data.

The framework was first published in 2011 by Mina Deng, Kim Wuyts, Riccardo Scandariato, Bart Preneel, and Wouter Joosen. The original work emerged from privacy engineering research at a time when privacy threat modeling was substantially less developed than security threat modeling, and the framework has matured through multiple revisions since, with the current LINDDUN v3 and the simplified LINDDUN GO variant both in active use as of 2026.

The framework has become substantially more operationally consequential since the implementation of GDPR (effective 2018), CCPA (effective 2020), and the broader wave of privacy regulations that followed. Organizations subject to these regulations need structured privacy threat analysis to demonstrate compliance with privacy-by-design requirements, and LINDDUN provides the most-adopted framework for that work.

This page is the deep-dive companion to the Threat Modeling Frameworks umbrella. The scope here is what LINDDUN actually is, how it differs from security-focused threat modeling, where it earns operational value, and how it pairs with the security frameworks (especially STRIDE) for systems that need both kinds of analysis.

What LINDDUN actually is

LINDDUN is a privacy threat modeling framework that applies the same DFD-based methodology as STRIDE to a different problem domain. The framework consists of:

  • Seven privacy threat categories (the LINDDUN acronym) that an analyst walks through during threat modeling.
  • A DFD-based methodology that uses the same data flow diagram artifacts as STRIDE, with the same trust boundary concept and the same per-element or per-interaction walkthrough.
  • Privacy threat trees (in the full LINDDUN methodology) that decompose each high-level threat category into specific threat patterns.
  • A mapping to privacy enhancing technologies (PETs) that suggests mitigations for identified privacy threats.

The framework is explicitly designed to complement STRIDE rather than to replace it. STRIDE addresses security threats — what an adversary could do to compromise the system. LINDDUN addresses privacy threats — what could happen to the personal data the system handles, regardless of whether the cause is adversarial. The two frameworks share methodology and modeling artifacts but produce different threat categories.

The framework is freely available through KU Leuven’s research group, with the canonical reference site at linddun.org providing the framework documentation, the privacy threat trees, the LINDDUN GO card deck, and the integration guidance with related frameworks.

The privacy-vs-security distinction

The most important conceptual point about LINDDUN is the distinction between privacy threats and security threats. The two overlap but are not the same, and the distinction determines which framework applies to a given concern.

Security threats are about the system protecting itself against adversaries. Spoofing, tampering, denial of service — these are threats to the system’s security properties. STRIDE addresses them.

Privacy threats are about what could happen to personal data — including by the system itself, by the system’s operators, by parties the system shares data with, or by adversaries who compromise the system. LINDDUN addresses them.

The overlap: Information Disclosure (STRIDE) and Disclosure of Information (LINDDUN) overlap substantially. Both address unauthorized exposure of data. The distinction is whose perspective matters — STRIDE treats disclosure as a security failure of the system; LINDDUN treats disclosure as a privacy failure for the data subject (the person whose data was disclosed). The same incident is often both, and a complete threat model captures both perspectives.

The non-overlap: Linkability, Identifiability, Detectability, Unawareness, and Non-compliance are LINDDUN threats with no clear STRIDE analog. They address privacy concerns that do not necessarily involve an adversary, and that exist even when the system is functioning exactly as designed.

A useful way to frame the distinction: STRIDE asks “what could go wrong with the system?” LINDDUN asks “what could go wrong for the person whose data the system handles?” The two questions are related but distinct, and systems that handle personal data benefit from both perspectives.

The seven categories

The LINDDUN acronym corresponds to seven privacy threat categories. Each warrants more depth than the acronym alone provides.

Linkability

Linkability is the threat that information about an individual can be linked across data items, transactions, or contexts to build a more complete profile than the individual intended. The category covers:

  • Cross-record linkability — multiple records in a database that can be linked to the same individual through quasi-identifiers (combinations of fields that uniquely identify someone even without explicit identifiers).
  • Cross-system linkability — data in one system that can be linked to data in another system through shared identifiers or correlation patterns.
  • Temporal linkability — multiple actions by the same individual over time that can be aggregated into a behavior profile.
  • Cross-session linkability — different sessions that can be linked even when the user has not explicitly identified themselves.

Linkability is a privacy threat even without identification. The user does not need to be identifiable for linkability to be a concern; the existence of a coherent profile that tracks the same (unidentified) individual is itself a privacy harm in many contexts. Anonymous tracking that builds a stable profile across sessions raises linkability concerns regardless of whether the profile is ever associated with an identity.

Mitigations typically involve unlinkable identifier schemes, minimization of cross-record correlation, careful management of quasi-identifiers, and privacy-enhancing technologies like k-anonymity, l-diversity, and differential privacy.

Identifiability

Identifiability is the threat that an individual can be identified from data that was not intended to identify them. The category covers:

  • Direct identification — data that explicitly identifies an individual (name, email, government ID).
  • Quasi-identifier-based identification — combinations of fields (date of birth, ZIP code, gender) that uniquely identify an individual despite no single field being directly identifying.
  • Pattern-based identification — behavioral patterns, writing style, location patterns, or other characteristics that allow identification.
  • Side-channel identification — identification through indirect signals not intended as identifiers (typing rhythm, device fingerprinting, network characteristics).

Identifiability is distinct from linkability. Linkability is about connecting records together; identifiability is about connecting records to a specific individual. A system can have linkability without identifiability (records connected to a stable pseudonym), identifiability without linkability (each record contains a name but is not connected to other records of the same person), or both.

Mitigations include pseudonymization, anonymization techniques, k-anonymity, careful management of quasi-identifiers, and explicit policies about what identifiers may be retained.

Non-repudiation (privacy context)

Privacy non-repudiation is the threat that a user cannot deny having performed an action, in contexts where the user would want to be able to deny it. This is the inverse of the security non-repudiation property — in security terms, non-repudiation is a desirable property; in privacy terms, the inability to repudiate can be a privacy harm.

The distinction matters because the same cryptographic mechanisms (digital signatures, audit logs) provide security non-repudiation and create privacy non-repudiation threats simultaneously. A signed message proves the signer cannot deny having sent it — desirable for the recipient’s security, potentially a privacy concern for the signer if the message contained sensitive content they did not want permanently attributable to them.

Privacy non-repudiation threats apply to:

  • Whistleblower contexts where the source needs deniability.
  • Anonymous speech contexts where attribution would chill expression.
  • Sensitive transactions where permanent attribution creates ongoing privacy exposure.
  • Authentication that creates permanent transaction records that the user would later prefer not be linkable to them.

Mitigations involve repudiable authentication schemes, deniable encryption, ephemeral credentials, and careful design of audit trails to balance security non-repudiation needs against privacy non-repudiation concerns.

Detectability

Detectability is the threat that the existence of personal data — or the fact that a user is using a system, or has visited a particular page, or has engaged in a particular activity — can be detected by parties who should not be aware of it. The category covers:

  • Existence detection — detecting that a user has an account or record in a system.
  • Activity detection — detecting that a user has engaged with a particular service or content.
  • Membership detection — detecting that a user belongs to a particular group, organization, or dataset.
  • Side-channel detection — detecting user activity through indirect signals (network traffic timing, response sizes, error messages).

Detectability concerns extend beyond just the content of personal data to the metadata about its existence. The fact that a user has visited an HIV testing site is privacy-sensitive even if the specific test results are not exposed. Detectability captures these meta-level privacy concerns.

Mitigations include traffic padding, dummy requests, cover traffic, privacy-preserving database lookups (private information retrieval), and careful design to minimize observable metadata.

Disclosure of Information

Disclosure of Information is the threat that personal data is exposed to parties who should not have access to it. The category overlaps substantially with STRIDE’s Information Disclosure but is framed from the data subject’s perspective rather than the system’s perspective.

Disclosure threats include:

  • Direct disclosure — personal data accessed by parties without authorization.
  • Aggregated disclosure — individually-anonymous data combined into identifying information (the linkability-plus-identifiability combination).
  • Inferred disclosure — sensitive information inferred from non-sensitive data through machine learning or statistical inference.
  • Onward disclosure — data shared with third parties that then experience their own disclosure events.

The privacy framing of disclosure is broader than the security framing. A system can experience a privacy disclosure failure without any security incident — for example, by sharing data with a partner under terms that don’t adequately protect the data, or by retaining data longer than necessary, or by processing data for purposes the data subject did not consent to.

Mitigations are the security mitigations against Information Disclosure (covered in STRIDE) plus privacy-specific controls: data minimization, purpose limitation, retention limits, consent management, and careful third-party data sharing arrangements.

Unawareness

Unawareness is the threat that the user does not know how their data is being collected, used, shared, or retained. The category captures privacy threats that exist not because data is mishandled but because the user lacks the information needed to make informed privacy decisions.

Unawareness threats include:

  • Collection unawareness — user does not know what data is being collected.
  • Use unawareness — user does not know how their data is being used.
  • Sharing unawareness — user does not know who their data is being shared with.
  • Retention unawareness — user does not know how long their data will be kept.
  • Rights unawareness — user does not know what rights they have regarding their data (access, deletion, correction).

Unawareness is one of the categories where LINDDUN’s framing differs most sharply from security-focused frameworks. Security threat modeling does not typically address what the user knows about the system. Privacy threat modeling does, because user awareness is itself a privacy property — informed consent and meaningful control require user awareness.

Mitigations are primarily transparency mechanisms: clear privacy notices, just-in-time disclosures, consent management interfaces, data access tools, and policies that explicitly inform users of changes to data practices.

Non-compliance

Non-compliance is the threat that the system fails to comply with applicable privacy regulations, organizational policies, or stated privacy commitments. The category captures privacy threats that arise from misalignment between what the system does and what it is supposed to do under the applicable rules.

Non-compliance threats include:

  • Regulatory non-compliance — failure to comply with GDPR, CCPA, HIPAA, sector-specific regulations, or other legal requirements.
  • Policy non-compliance — failure to comply with the organization’s own privacy policies.
  • Commitment non-compliance — failure to deliver on privacy commitments made to users (privacy notices, terms of service).
  • Standards non-compliance — failure to comply with industry standards or certifications the organization has claimed.

Non-compliance is the category most directly tied to legal and regulatory consequences. GDPR fines can reach 4% of global annual turnover; CCPA fines per violation can accumulate quickly; sector-specific regulations have their own enforcement mechanisms. Non-compliance threat analysis is what connects privacy threat modeling to actual organizational risk.

Mitigations are compliance program elements: privacy impact assessments, data flow inventories, retention policies, consent management, data subject rights processes, vendor management, breach notification procedures, and the broader organizational infrastructure that demonstrates regulatory compliance.

The methodology

Applying LINDDUN involves the same three activities as STRIDE, adapted for privacy:

Decompose the system. Produce a DFD showing components, data flows, and trust boundaries — same artifact as STRIDE. For LINDDUN purposes, the DFD should highlight where personal data enters the system, where it is stored, where it is processed, where it is shared, and where the trust boundaries cross.

Identify privacy threats. Walk through the model and apply the seven LINDDUN categories to each element or interaction, asking which privacy threats apply. The walkthrough uses the same per-element or per-interaction patterns as STRIDE, with category applicability determined by the type of element being analyzed.

Determine mitigations and validate. For each identified threat, determine the planned mitigation (privacy enhancing technologies, transparency mechanisms, compliance controls). Validate that the mitigations actually address the threats and that they hold up under the relevant regulatory frameworks.

The framework provides threat trees for each of the seven categories — structured decompositions that break each high-level threat into more specific threat patterns. The threat trees guide the analyst through the analysis without requiring deep privacy engineering expertise, providing the same kind of scaffolding that STRIDE provides for security threat identification.

LINDDUN GO — the simplified variant

The full LINDDUN methodology is comprehensive but heavyweight. Threat trees for all seven categories, applied per-element or per-interaction across a complex system, can produce more analytical work than agile development cycles can support. LINDDUN GO is the simplified variant introduced specifically to address this gap.

LINDDUN GO uses a card deck rather than threat trees. Each card describes a specific privacy threat pattern with examples and mitigation suggestions. The methodology becomes:

  1. Produce a DFD (same as full LINDDUN).
  2. For each card in the deck, examine the DFD and identify any elements or interactions that the threat applies to.
  3. Document the identified threats and mitigations.

The card-based approach is faster than the threat tree walkthrough and accessible to development teams without deep privacy expertise. The trade-off is reduced analytical depth — the cards capture common privacy threats but may miss less-common patterns that the threat trees would surface.

In practice, LINDDUN GO has become the more-adopted variant for agile development contexts, with the full LINDDUN reserved for high-privacy-impact systems or for security-and-privacy team work where the methodology depth is warranted.

The regulatory context

LINDDUN’s operational consequence has grown substantially with the implementation of comprehensive privacy regulations:

GDPR (General Data Protection Regulation, effective 2018) is the European Union privacy regulation that has become the de facto global privacy standard. GDPR includes “privacy by design and by default” requirements (Article 25) that explicitly require structured privacy analysis during system design. LINDDUN is one of the frameworks organizations use to demonstrate compliance with these requirements.

CCPA (California Consumer Privacy Act, effective 2020) and its successor CPRA (California Privacy Rights Act, effective 2023) are the California state privacy regulations. CCPA/CPRA includes data minimization, transparency, and consumer rights requirements that map onto LINDDUN categories (particularly Unawareness and Non-compliance).

State-level privacy regulations have proliferated across the United States since 2020, with at least 15 states having comprehensive privacy laws as of 2026. The frameworks vary in detail but share common structural requirements that LINDDUN-style analysis addresses.

Sector-specific regulations including HIPAA (healthcare), GLBA (financial services), COPPA (children’s privacy), and FERPA (educational records) all include privacy requirements that benefit from structured threat modeling. LINDDUN-style analysis can be adapted to sector-specific contexts by emphasizing the categories most relevant to the sector’s regulatory framework.

Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) are the regulatory artifacts that organizations produce to document their privacy analysis. LINDDUN provides the analytical structure that supports PIA/DPIA work, particularly for the identification of privacy risks and the documentation of mitigations.

The regulatory context is what makes LINDDUN adoption operationally consequential rather than purely academic. Organizations subject to comprehensive privacy regulations need structured privacy threat analysis as part of their compliance program, and LINDDUN provides the framework that supports that work.

Where LINDDUN excels

The framework earns operational value in several specific contexts:

Privacy threat modeling for systems handling personal data. Any system that processes substantial personal data benefits from LINDDUN-style analysis. The framework structure ensures that privacy threats are systematically considered rather than addressed ad hoc.

GDPR/CCPA compliance work. Privacy regulations require structured privacy analysis. LINDDUN provides the analytical framework that supports compliance documentation, particularly for privacy-by-design demonstrations and for PIA/DPIA development.

Privacy-by-design programs. Organizations that have committed to privacy-by-design practices need a methodology to operationalize the commitment. LINDDUN integrates into design review processes the same way STRIDE does for security, making privacy analysis a standard part of system design.

Cross-functional privacy conversations. LINDDUN provides shared vocabulary that lets privacy engineers, software engineers, lawyers, and compliance staff discuss privacy threats with consistent terminology. The shared vocabulary reduces friction across the cross-functional teams that privacy work typically requires.

Training engineers in privacy thinking. Engineers learning privacy benefit from the structured prompts LINDDUN provides. The seven categories give specific things to ask about, which is more productive than “think about privacy” as a general directive.

Vendor and third-party privacy assessment. LINDDUN-structured analysis can be applied to vendor data handling practices, third-party integrations, and data sharing arrangements. The framework gives a structured basis for asking vendors about their privacy practices.

Where LINDDUN has limits

Several structural limits warrant honest treatment:

The framework is younger and less broadly adopted than STRIDE. While LINDDUN has been published since 2011, broad adoption has lagged STRIDE substantially. The tooling ecosystem is smaller, the community is smaller, and the body of accumulated organizational knowledge is thinner. Organizations adopting LINDDUN often need to develop more of the practical implementation themselves than STRIDE adoption typically requires.

Privacy threat modeling overlaps awkwardly with security threat modeling. The Disclosure of Information category overlaps substantially with STRIDE’s Information Disclosure. Teams running both STRIDE and LINDDUN sometimes produce duplicate threat lists or miss the connection between security and privacy framings of the same underlying concern.

The seven categories vary in operational importance. Some categories (Linkability, Identifiability, Disclosure of Information, Non-compliance) tend to dominate privacy threat analysis in practice. Others (Non-repudiation in the privacy sense, Detectability, Unawareness) are important in specific contexts but less frequently determinative. The framework treats all seven as equivalent; practical use often weights them differently.

Privacy enhancing technologies (PETs) require expertise to apply correctly. The mitigation side of privacy threat modeling depends on appropriate selection and configuration of PETs — k-anonymity, differential privacy, secure multi-party computation, homomorphic encryption, and other privacy-preserving techniques. These are sophisticated technologies that require expertise beyond what LINDDUN itself provides.

The regulatory landscape changes faster than the framework. Privacy regulations have evolved substantially since LINDDUN was first published. The framework’s categories remain stable, but their relative importance shifts as new regulations emphasize specific privacy concerns. Practitioners need to stay current on regulatory developments separately from LINDDUN methodology.

Quantification of privacy harms is genuinely difficult. Security threat modeling can usually estimate impact in terms of system properties (CIA losses) and business impact (downtime cost, breach response cost). Privacy threat modeling involves harms to individuals (loss of autonomy, reputational harm, discrimination, chilling effects) that are harder to quantify but no less real. LINDDUN structures the threat identification; it does not solve the impact estimation problem.

The relationship to STRIDE and other frameworks

LINDDUN is explicitly designed to pair with STRIDE for systems that need both security and privacy threat modeling. The two frameworks share:

  • The same DFD-based methodology.
  • The same per-element or per-interaction walkthrough pattern.
  • The same trust boundary concept.
  • The same integration into design review processes.

The differences are in threat categories (seven privacy categories vs six security categories) and in perspective (data subject’s perspective for LINDDUN, system’s perspective for STRIDE).

In practice, organizations that do both security and privacy threat modeling typically run them as parallel exercises — same DFD, same walkthrough sessions, but applying both category sets. The combined output covers security and privacy threats together, with the overlap (Information Disclosure / Disclosure of Information) handled by capturing the threat once and noting both its security and privacy implications.

Other frameworks that intersect with LINDDUN:

  • Privacy Impact Assessments (PIAs) and DPIAs are higher-level documents that LINDDUN analysis can inform. LINDDUN provides the threat identification structure; the PIA/DPIA provides the regulatory documentation.
  • NIST Privacy Framework is the higher-level strategic framework that pairs with LINDDUN the way NIST Cybersecurity Framework pairs with D3FEND. The Privacy Framework provides strategic structure; LINDDUN provides technical detail.
  • OWASP Privacy Risks is a community-maintained list of common privacy risks in web applications. The list overlaps with LINDDUN categories and is useful as a complementary checklist.
  • Privacy by Design (PbD) as articulated by Ann Cavoukian is a high-level philosophy that LINDDUN operationalizes for technical analysis.
  • Solove’s Taxonomy of Privacy is the academic privacy taxonomy that influenced LINDDUN’s category development.

Operational use

A few places LINDDUN shows up in practical work in 2026:

During architecture review for systems handling personal data. LINDDUN runs alongside STRIDE during design review, with both frameworks applied to the same DFD. The output is a combined security-and-privacy threat list that informs design decisions before implementation.

During PIA/DPIA development. Privacy Impact Assessments and Data Protection Impact Assessments use LINDDUN-style analysis as the technical foundation for the regulatory documentation. The threat identification work feeds directly into the assessment narrative.

During vendor and third-party assessment. When evaluating data sharing arrangements with vendors or partners, LINDDUN provides a structured framework for analyzing the privacy implications. The framework gives concrete questions to ask vendors about their data handling practices.

During product feature design. New features that involve personal data get LINDDUN-style analysis during the design phase. The structured prompts help identify privacy issues before the feature is built rather than after.

During training and onboarding. LINDDUN provides the structured introduction to privacy threat modeling for engineers and product managers new to privacy work. The seven categories are accessible enough to learn quickly while being substantive enough to support real analytical work.

Tooling

The LINDDUN tooling ecosystem is real but smaller than STRIDE’s:

The LINDDUN.org canonical site provides the framework documentation, the privacy threat trees, the LINDDUN GO card deck (downloadable as PDF for printing or as digital cards), and integration guidance.

OWASP Threat Dragon supports LINDDUN alongside STRIDE in the same tool, providing a single interface for both security and privacy threat modeling work. This is the standard tooling recommendation for teams running both frameworks.

IriusRisk supports LINDDUN in its commercial threat modeling platform, with built-in templates and integration with development pipelines.

LINDDUN GO physical card decks are printed by some organizations to support in-person threat modeling workshops. The physical cards make the methodology more tangible and accessible to non-specialists.

Spreadsheet-based threat modeling with LINDDUN columns alongside STRIDE columns is common in practice, particularly for organizations starting their privacy threat modeling practice without dedicated tooling investment.

Persistent pitfalls

Several recurring failure patterns in LINDDUN adoption:

Treating privacy threat modeling as a compliance checkbox. Organizations sometimes adopt LINDDUN specifically to satisfy GDPR or CCPA documentation requirements without genuinely integrating the analysis into design decisions. The output is privacy threat documentation that exists for compliance audits without affecting how systems are actually built.

Confusing privacy threats with security threats. Teams new to LINDDUN often produce analyses that look like STRIDE analyses with different category labels. The Linkability, Identifiability, Unawareness, and Non-compliance categories require specifically privacy-focused thinking that doesn’t translate from security thinking directly.

Skipping the Unawareness category. Engineers tend to focus on the technical categories (Linkability, Identifiability, Detectability, Disclosure) while skipping the Unawareness category that addresses user-facing transparency. Unawareness is one of the most common categories of actual privacy harm and warrants direct attention.

Failing to update for regulatory changes. Privacy regulations evolve rapidly. LINDDUN analyses produced under one regulatory framework may not address concerns added by later regulations. Periodic re-analysis of high-risk systems is necessary; one-time analysis is not.

Treating data minimization as out of scope. Data minimization — collecting only data needed for stated purposes, retaining it only as long as necessary — is one of the most effective privacy mitigations. LINDDUN analyses sometimes focus on protecting collected data without questioning whether the data should be collected at all. The minimization question should be asked explicitly.

Inadequate consideration of inferred data. Machine learning and statistical inference can derive sensitive information from data that does not appear sensitive on its face. LINDDUN analyses sometimes focus on directly-collected data while missing the inference threats that modern ML enables.

One-time threat modeling without iteration. Privacy threat models should update as systems evolve, as data practices change, and as the regulatory landscape shifts. Static threat models become outdated quickly in privacy contexts.

Standards and references

  • LINDDUN.org — the canonical framework documentation and resources.
  • Original LINDDUN paper — Deng, Wuyts, Scandariato, Preneel, Joosen (2011), “A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements,” published in Requirements Engineering.
  • LINDDUN GO — the simplified card-based variant, with materials available at linddun.org.
  • NIST Privacy Framework — the higher-level strategic framework that pairs with LINDDUN.
  • GDPR Article 25 — the privacy by design requirement that LINDDUN supports.
  • ISO/IEC 27701 — the privacy information management system standard that references LINDDUN-style analysis.
  • OWASP Threat Dragon — the open-source tool supporting both STRIDE and LINDDUN.
  • NIST Privacy Engineering Program — the broader US government privacy engineering work that LINDDUN-style analysis fits within.

How to actually use LINDDUN in 2026

For organizations adopting LINDDUN, a practical sequence:

  1. Establish STRIDE adoption first if security threat modeling isn’t already practice. LINDDUN pairs naturally with STRIDE and benefits from the shared methodology. Organizations without security threat modeling practice will struggle to add privacy threat modeling.

  2. Train the team on the privacy-vs-security distinction. The two frameworks share methodology but address different concerns. Engineers need to understand the distinction before they can apply LINDDUN productively.

  3. Adopt LINDDUN GO for routine work, full LINDDUN for high-impact systems. The card-based variant fits agile development cycles better; the full methodology with threat trees is appropriate for systems with substantial privacy implications.

  4. Run privacy threat modeling alongside security threat modeling. Same DFD, same walkthrough sessions, both frameworks applied. The combined output covers security and privacy together.

  5. Integrate with PIA/DPIA processes. The LINDDUN analysis feeds the regulatory documentation. Treating them as separate exercises produces duplicate work.

  6. Engage with the broader privacy program. Privacy threat modeling is one element of a privacy program that also includes data inventory, consent management, data subject rights processes, vendor management, breach notification, and policy work. The threat modeling is most valuable when integrated with these broader functions.

  7. Maintain privacy engineering expertise. Privacy enhancing technologies (k-anonymity, differential privacy, secure multi-party computation, homomorphic encryption) require expertise beyond LINDDUN itself. The mitigation side of privacy threat modeling depends on appropriate PET selection and configuration.

  8. Update analyses as regulations evolve. Privacy regulations have changed substantially in the last five years and will continue to change. Treat threat models as living documents that update with the regulatory landscape.

LINDDUN has become substantially more operationally consequential since the privacy regulation wave that began with GDPR. The framework provides the structured privacy analysis that the regulations effectively require, and its pairing with STRIDE makes adoption straightforward for organizations already doing security threat modeling. The challenges are in the genuine privacy engineering expertise required to use it well — the framework structures the analytical work, but the analysis still requires privacy-specific knowledge that the framework itself does not provide.

Where to go next on this site

Adjacent material on this site:

  • Threat Modeling Frameworks — the umbrella overview.
  • STRIDE — the security-focused parallel framework that LINDDUN explicitly mirrors.
  • MITRE ATT&CK — the operational adversary behavior framework.
  • MITRE D3FEND — the defensive countermeasure catalog.
  • The Cyber Kill Chain — the attack lifecycle model.
  • The Diamond Model — the CTI analytical framework.
  • PASTA — the heavyweight risk-centric methodology.
  • OCTAVE — the asset-driven enterprise risk methodology.

LINDDUN is the design-time threat modeling framework that handles the privacy concerns STRIDE doesn’t address. The framework has matured significantly since its 2011 introduction, the regulatory environment has made it operationally consequential rather than purely academic, and the pairing with STRIDE has made adoption straightforward for organizations already doing security threat modeling. For systems handling substantial personal data, LINDDUN-style analysis is now essentially required — both because regulations demand structured privacy analysis and because the privacy harms the framework addresses are real and consequential regardless of regulatory requirements.