Privacy Impact Tree Analysis (PITA): A Tree-Based Privacy Threat Modeling Approach

• Published in: IEEE transactions on software engineering Vol. 51; no. 7; pp. 2102 - 2124
• Main Author: Van Landuyt, Dimitri
• Format: Journal Article
• Language: English
• Published: New York IEEE 01.07.2025; IEEE Computer Society
• Subjects: Artificial intelligence; Attack trees; Cybersecurity; Data privacy; Fault tree analysis; Fault trees; Impact analysis; Pragmatics; Prevention and mitigation; Privacy; privacy by design; privacy engineering budget; privacy footprint; privacy impact; privacy threat modeling; Risk analysis; Risk assessment; Safety; Software development; Systematics; Taxonomy; Threat evaluation; Threat modeling; Threat models
• ISSN: 0098-5589; 1939-3520
• DOI: 10.1109/TSE.2025.3573380

Threat modeling involves the early identification, prioritization and mitigation of relevant threats and risks, during the design and conceptualization stages of the software development life-cycle. Tree-based analysis is a structured risk analysis technique that starts from the articulation of possible negative outcomes and then systematically refines these into sub-goals, events or intermediate steps that contribute to this outcome becoming reality. While tree-based analysis techniques are widely adopted in the area of safety (fault tree analysis) or in cybersecurity (attack trees), this type of risk analysis approach is lacking in the area of privacy. To alleviate this, we present privacy impact tree analysis (PITA), a novel tree-based approach for privacy threat modeling. Instead of starting from safety hazards or attacker goals, PITA starts from listing the potential privacy impacts of the system under design, i.e., specific scenarios in which the system creates or contributes to specific privacy harms. To accommodate this, PITA provides a taxonomy, distinguishing between privacy impact types that pertain (i) data subject identity, (ii) data subject treatment, (iii) data subject control and (iv) treatment of personal data. In addition, a pragmatic methodology is presented that leverages both the hierarchical nature of the tree structures and the early ranking of impacts to focus the privacy engineering efforts. Finally, building upon the privacy impact notion as captured in the privacy impact trees, we provide a refinement of the foundational concept of the overall or aggregated 'privacy footprint' of a system. The approach is demonstrated and validated in three complex and contemporary real-world applications, through which we highlight the added value of this tree-based privacy threat analysis approach that refocuses on privacy harms and impacts.