W3C - Security Interest Group

Threat Modeling with LEGO SERIOUS PLAY: Building your Digital Identity threat

Mon, 20 Oct 2025 18:38:00 +0000

At the World Wide Web Consortium (W3C), we know that security, privacy, and human rights are interconnected. This interconnection is especially true for digital identity technologies. As these technologies change, so must the way we understand and address threats.

In recent years, the W3C community has been exploring different ways to address technical threats and harm to individuals, to ensure that new standards, including those for digital identity, protect not only systems but also people, through Threat Modeling.

On October 14, 2025, this commitment took shape with a one-of-a-kind workshop, organized in collaboration with Threat Modeling Connect, entitled “Threat Modeling with LEGO© SERIOUS PLAY© - Build Your Digital Identity Threat”.

The workshop combined the threat modeling process with a creative and practical methodology developed by W3C to help participants visualize damage, transform it into threats, and build connections between different dimensions in the digital identity landscape.

From harms to threats

Traditional threat modeling frameworks rely on different threat categorization frameworks, such as STRIDE and LINDDUN, which W3C is already using in identifying security and privacy threats, respectively. However, the social and ethical implications of the web require a broader view. How to recognize threats to humanity or social impact?

W3C has begun to work on a new level of analysis of Digital Identities based on a mixed approach of Threat Modeling and Harms Modeling. Inspired by Microsoft's early work on responsible innovation and expanded through academic research, this approach focuses on identifying how different stakeholders (e.g., individuals or communities) might be negatively affected by a technology, and then tracing the technical causes of those impact - the threats - blending the harm modeling with threat modeling.

High-level threats are particularly important in the field of digital identity, where credentials issued by governments - such as national ID cards, passports, and education certificates - can become tools of inclusion or exclusion. As governments and organizations adopt verifiable credentials and digital wallets, the associated threats are no longer limited to technical failures but also extend to profiling, discrimination, and human rights violations.

Why LEGO© SERIOUS PLAY©?

To bridge this gap, the workshop used LEGO© SERIOUS PLAY© (LSP), a facilitation method originally developed by the LEGO Group in the 1990s for strategic thinking and problem solving. LSP is based on the concept of “manual knowledge”, the idea that building physical models helps unlock abstract understanding and encourages inclusive participation.

In the session, each participant received a set of LEGO bricks and was given a challenge: “Build a threat from harm”. The tactile and metaphorical process helped to transform complex and often abstract ethical and social considerations into tangible representations that participants could literally hold in their hands, modify, and connect.

As Simone explained during the session - as he’s a Certified facilitator of LEGO® SERIOUS PLAY® method and materials by The Association of Master Trainers - by externalizing thought through play, we allow everyone to see —and question— the invisible assumptions behind technological design.

Building threats

The workshop followed the classic four-phase rhythm of LSP - Listen, Build, Share, Reflect - with challenges that followed the structure of a threat modeling process, generating threats from the harms. As the Threat Modeling Community Group and Security Interest Group are categorizing the various categories of harms and threats, they found specific harms related to Digital Identities in Enhancing National Digital Identity Systems by Corti et al. (2025). These included issues such as discrimination based on personal characteristics, illegal use of data beyond consent, exposure to domestic abuse, persecution, and economic exclusion through increased transaction costs.

A model to illustrate ethnic and/or religious profiling

A model to illustrate discrimination based on individual characteristics

From individual models to landscapes: analyzing connections

In the second phase, participants were asked to arrange the models spatially so that the connections between damage and threats formed a coherent story, a “super-story” of the collective threat landscape.

This interconnected step showed how individual harms are rarely isolated. For example, misuse of data can lead to profiling, which in turn can lead to discriminatory denial of services. Similarly, exposure to domestic abuse was linked to inadequate wallet security controls, demonstrating that technical and social security measures are inseparable.

Models connected spatially

Lessons learned

In the final retrospective, the traditional LEGO® SERIOUS PLAY® “duck” exercise, participants rebuilt the symbolic duck they had created at the beginning of the session, now reflecting what they had learned.

Insights emerged from participants:

"Money lost/spent leading to decreased standards of living"
"I learned to connect ideas and concepts in different ways and forms"
"The most unexpected things are strongly connected"

These reflections helped to understand that threat modeling based on human experience expands our imagination. Transforming a security or privacy analysis from a checklist exercise to a collaborative exploration of possible futures, both positive and negative.

"Thinking about harm naturally leads to framing threats, and then creating stories about those threats, and thinking of how your project can be compromised"

Symbolic LEGO duck and lesson learned

Beyond the workshop

The workshop demonstrated that integrating LSP into W3C's security, privacy, and human rights work is not only feasible but also transformative.

Participants were able to visualize complex and abstract harms and threats, and the method helps uncover assumptions that traditional textual analysis often overlooks.

For the W3C community, this experiment is in line with ongoing initiatives by the Security Interest Group, the Privacy Working Group, and the Threat Modeling Community Group.

The exercise also reinforced W3C's broader commitment to open and participatory processes. Just as web standards are born of collaboration and transparency, so too should our understanding of the threats be.

Conclusion

The Threat Modeling with LEGO® SERIOUS PLAY® workshop, which focused on digital identity, was a step toward the integration of human-centered thinking in the technical standardization process. Participants didn't just analyze threats; they built, connected, and understood them together.

As the W3C community continues to define standards for the next generation of identity technologies, this exercise reminds us that technology has an important social impact.

W3C will continue to refine this approach - focusing on the user and humans - within its Threat Modeling Community Group to invite others to join the conversation and, perhaps, build their own threats.

Web Security: shaping the secure Web

Seth Dobbs — Wed, 21 Aug 2024 12:14:00 +0000

Continuing the series that puts the emphasis on the key areas that help ensure that the Web works, for everyone, this month I am diving into Web security. It is one of the key areas that we call “horizontals” and that shape every W3C work package because they involve approaches that are common to all work groups. Our horizontals are Web accessibility, internationalization, security and privacy.

The imperative

A technology isn’t truly beneficial to humanity if it isn’t safe, and security standards are an essential aspect of ensuring the Web is safe.

Security, along with Privacy, are integral to human rights and civil liberties and have long been important in the World Wide Web Consortium's agenda. W3C has a long history of improving Web security and our work has been instrumental through the development of authentication technologies that can replace weak passwords and help mitigate threats from phishing and similar attacks.

Security is essential to our digital lives as appropriate measures can create trust between people, organizations, businesses, and governments, and while advances on the web make it easier for people to interconnect, this results in a wider attack surface for servers. In other words, the more ways you allow people to interact with your site and products, the more ways bad actors have of attacking.
As users we want to engage with what we trust. We want to ensure our information, our money, and other resources aren’t stolen. We want to make sure we are interacting with who we really think we’re interacting with. As a provider of information, service, or product on the web we want to ensure that we reduce risks and costs, and that we increase trust and strengthen our reputation.

How W3C approaches Security

We follow a recipe that is simple but which details are of importance:

Develop security technology standards
Review the security of web standards
Guide Web Developers to design and develop in a secure manner

At the heart of developing the right security standards is threat modeling, which enables the creation of living documents that identify cross-areas threats and mitigations and provide information on residual risks, and in turn frame and guide technical specifications.

We are in the process of elevating the conduct of reviews from a pool of volunteers to a chartered group, called the Security Interest Group (SING) whose charter the W3C Members are currently assessing as part of approving the group. With a mission to improve Security on the Web by advising groups developing standards on how to avoid and mitigate security issues with their technologies, the Security Interest Group would also suggest changes to existing standards and technologies to improve the security of existing systems.

Last February, we welcomed to the W3C Team our new Security Lead, Simone Onofri. Among the many projects he set into place, he helped launch a cross-organization group, called the Security Web Application Guidelines (SWAG) Community Group, to guide Web developers and ensure a holistic approach to security through the edition of web creators security best practices and providing a platform for stakeholder collaboration (e.g., OpenSSF, OWASP, Open Web Docs, etc.)

In focus: Digital Identities

In recent years we've seen the emergence of the paradigm of decentralized identity and credentials, where users have a digital wallet and control over their identity. All sectors, from social networks and education to enterprises and governments worldwide are considering becoming providers and consumers, with the intention to have digital credentials that are more secure and privacy-preserving than physical ones.

Given the societal, ethical, and technical impacts, Simone and the W3C Team wrote a paper on Digital Identities on the Web. "Identity & the Web" analyzes through different use cases the systemic impact on both the market side and the human side, as well as the role that Web standardization may play in managing that impact. We published the report this month and are looking forward to charting a credible and safe path to strengthen the position of the Web during this rapid evolution phase of the information ecosystem.

Key players

I want to conclude by emphasizing that as a horizontal area, Web Security matters to most and that most can be key players. Whether you are an independent developer or work for an organization that develops products or services, or are a user, your participation in Web Security can make a difference and will be meaningful: contributing to a Web that works for all humanity.