LINDDUN Privacy Threat Modeling

Photo by Tim Mossholder on Unsplash

LINDDUN Methodology

  1. Model the system. Map out the digital systems you interact with, including users or third party services, data stores, processes, and data flows (indicating how the information is propagated through the system).
  2. Elicit threats. Analyze each element in the model you created, identifying the privacy threats present in each of the 7 threat categories (see below).
  3. Manage threats. Prioritize the threats, then decide specifically what privacy-enhancing techniques and tools you’ll use to mitigate them.

LINDDUN Threat Categories

  • Linkability: Adversary is able to link 2 items of interest without knowing your identity.
  • Identifiability: Adversary is able to identify you out of a group of people by using an item of interest.
  • Non-repudiation: You’re unable to deny a claim (e.g., that you performed an action, or sent a request).
  • Detectability: Adversary is able to distinguish whether an item of interest about you exists or not, regardless of being able to read the contents itself.
  • Disclosure of information: Adversary is able to learn the content of an item of interest about you.
  • Unawareness: You’re unaware of the collection, processing, storage, or sharing activities of the your personal data.
  • Non-compliance: Processing, storage, or handling of personal data is not compliant with legislation, regulation, and/or policy.

Additional Resources



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Chad Warner


Cyber threat intelligence (CTI), OSINT, & cybersecurity enthusiast. Seeking a CTI job. Bookworm. Fan of Tolkien & LEGO.