Enabling a model-driven workflow for ongoing interdisciplinary collaboration in legal threat modeling

Context:
Software systems often provide critical functionality or process personal data, requiring compliance with applicable legal regulations. Ensuring legal conformity demands close collaboration between legal and technical experts, but differences in terminology and methodology make this challenging.
Objective:
In this article, we aim to address the challenges in legal interdisciplinary collaboration by proposing a model-based workflow for ongoing and collaborative legal assessments within the context of threat modeling.
Method:
The central aspects of the workflow are based on model-driven engineering techniques and were developed through active collaboration between researchers in software engineering and legal informatics/data protection at the KASTEL Security Research Labs. The goal of the collaboration was to integrate the methodologies of both domains into the workflow equally.
Result:
The proposed workflow centers on maintaining consistency between a legal viewpoint and data flow diagrams, addressing legal subsumption, allowing each discipline to work from its own perspective while providing automated support in threat identification through an extended existing data flow analysis framework that considers legal interpretation. ... mehrWe evaluate the workflow and its modeling artifacts by applying it in the domain of the GDPR, discussing feasibility and applicability, and measuring the accuracy and scalability of the extended data flow analysis.
Conclusion:
By combining discipline-specific viewpoints with automated consistency and threat identification, the workflow supports collaboration and enables iterative assessments. Our findings suggest that the presented workflow is suitable and operationalizable, but identify potential challenges in practical application or transfer to other legal domains.