COMATULA: A Privacy Threat Modeling Method

State: Open

Threat Modeling is a structured activity that aims to answer the question "what could go wrong in if we implement a system by following a given design?". By asking this question during the design stage of a system's development, threat modeling tries to ensure that elicited threats do not lead to structural vulnerabilities. Thus, threat modeling contributes to a secure development cycle since security concerns are considered to be "built in" and not "bolt on". However, looking at methods, tools, and approaches that currently exist, it is clear that the focus on security rarely embraces privacy-related aspects or that security is considered as a synonym subsuming privacy [1, 2].

"In the digital world, security has become synonymous with privacy. But the truth of the matter is that they are not the same at all. As long as these two terms continue to be misunderstood or interchanged for one another, businesses will struggle to protect the privacy of consumers online.” ‒ Forbes, 2019

To improve the current posture of modeling privacy threats, this thesis proposes the development of a generic methodology to identify privacy threats. [3] presented how to create a privacy threat model for a specific technology in an automated way. In this thesis, the goal is to define a modeling method, similar to STRIDE [4], that allows identification of events that threaten these privacy goals:

The proposed privacy threat modeling approach can be integrated into a visual tool like CoReTM, which would support (i) the navigation of the methodology and (ii) the visual notation of threats.

[1] Jan von der Assen, Muriel F. Franco, Christian Killer, Eder J. Scheid, Burkhard Stiller: CoReTM: "An Approach Enabling Cross-Functional Collaborative Threat Modeling"; IEEE International Conference on Cyber Security and Resilience, Virtually, Europe, July 2022, pp. 1–8, Available Online
[2] Anton Konev, Alexander Shelupanov, Mikhail Kataev, Valeriya Ageeva, Alina Nabieva: "A Survey on Threat-Modeling Techniques: Protected Objects and Classification of Threats"; Symmetry, vol. 14, no. 3, 2022
[3] Katharina O. E. Müller, Jan von der Assen, Chao Feng, Burkhard Stiller: "An Overview and Ontology of Privacy to Preserve Privacy in Ultra-Wideband Networks", IEEE International Conference on Privacy Computing, Haikou, China, pp. 1-9, Available Online
[4] Microsoft: "The STRIDE Threat Model", Available Online, Last visit February 10, 2023

40% Design, 50% Implementation, 10% Documentation
Knowledge or Interest in Security and Privacy

Supervisors: Jan von der Assen

back to the main page