CybersecurityAI / ML in Devices Connected & Cyber-Physical Devices /lin-don/

LINDDUN

Privacy threat modeling framework that decomposes privacy threats into seven categories, the privacy counterpart to STRIDE.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed June 20, 2026

Definition

LINDDUN is a privacy-focused threat modeling methodology developed at KU Leuven. The acronym names seven privacy threat categories: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance. LINDDUN GO (a lightweight card-deck variant) and LINDDUN PRO (a full data-flow-diagram methodology) walk teams through identifying privacy threats in each category against data flows and stores. Output is a prioritized set of privacy threats with mappings to privacy-enhancing technologies (PETs) and controls.

What the regulation says

Not specifically cited by FDA, but recommended as a privacy threat modeling approach by ENISA, referenced in the EDPB Data Protection by Design guidelines, and increasingly cited by notified bodies reviewing EU MDR Annex I privacy and data protection requirements.

What this means in practice

For medical devices that process PHI or generate identifiable health data, and especially for cloud-connected SaMD, AI/ML devices that retain inference logs, and digital therapeutics, LINDDUN complements STRIDE by surfacing threats STRIDE doesn't cover (re-identification of pseudonymized data, inference of sensitive attributes, linkability across datasets). EU GDPR and HIPAA both expect privacy-by-design analysis; LINDDUN is the most rigorous public methodology for it.

Common pitfalls

•Running STRIDE only and assuming privacy is covered, STRIDE addresses security; LINDDUN addresses privacy, and they identify different threats.
•Skipping the PET (privacy-enhancing technology) mapping, without it, LINDDUN produces threats with no controls.
•Limiting LINDDUN to the data layer, privacy threats also arise from UI design (Unawareness) and process design (Non-compliance).

Primary references

3 sources

Link health: 3 verified· last checked 2026-06-20

KU Leuven·1ENISA·1HSCC·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Sources: 3
Updated: 6/20/2026

Compare with another term

Learn in 60 seconds

Privacy threat modeling framework that decomposes privacy threats into seven categories, the privacy counterpart to STRIDE.

·EU GDPR and HIPAA both expect privacy-by-design analysis; LINDDUN is the most rigorous public methodology for it.
·The acronym names seven privacy threat categories: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance.
·LINDDUN GO (a lightweight card-deck variant) and LINDDUN PRO (a full data-flow-diagram methodology) walk teams through identifying privacy threats in each category against data flows and stores.

Remember this

Watch out: Running STRIDE only and assuming privacy is covered, STRIDE addresses security; LINDDUN addresses privacy, and they identify different threats.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.