There is a lot of literature on this issue. You may take a look at:

Deng et al. (2010), A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements, or

Luna et al. (2012), Privacy-by-Design Based on Quantitative Threat Modeling.

Unfortunately, you always have to check which privacy theory the authors took as a basis. More often than not, authors in the technical field like computer science will just omit which theory they use.

For more results try +privacy +"threat modeling" on Google Scholar.

Thank youv ery much for your answer!

Sadly, it looks like this literature does not look from a users' perspective in regards of building and categorizing(perceived) threats. I am arguing that the threats are not clear a priori, but should be deduced from what the user perceives as a relevant threat (at least in addition to the "objective" threats).

Do you know any literature following such an approach i.e. in using a UCD process?

The methodology is independent of the perspective you chose.

Considering a dyadic relationship, i.e. a data processor and a data subject, you basically have three choices. You may take

(1) an "objective" point of view, i.e. by looking into the privacy law or the privacy literature,

(2) a data processor's perspective, i.e. by asking the data processor, or

(3) a data subject's perspective, i.e. by asking the data subject(s).

There are also approaches which try to integrate different perspectives. You may want to take a look at the literature on "multilateral security".

Sometimes, a privacy or data protection law may force you to take a specific perspective. If it does, it usually forces you to take the data subject's perspective.

I think you can use any of these approaches. You always have to apply the methodology to your specific needs.

Thank you again!However, i have to disagree regarding the methodology independence you mentioned.  Isnt it  heavily dependening on the perspective you choose, which methodology you should and will adopt, as your research question will change depending on the perspective?(1) From an objective point of view, you might focus on law - as you said. Maybe the research question then could focus on sth like "adapting privacy laws to a networked world"(2) Taking a processors' view, question arise such as "How can we use algorithms to avoid / reduce privacy invasive data collection"(3) Putting more emphasis on the user, thirdly, rather pinpoints towards the interaction of the user with software and how to design meaningful privacy-relevant interactions from their point of view.All three questions should be addressed by a tailored methodology, dont you think, e.g. (3) a user centered design process? Did I get you all wrong?

Ohh, sorry. I was only talking about the threat modelling process, not the software or system development process as a whole. Concerning the development process as a whole, I think you're right.

On the other side, I think the threat modelling process is independent of where do you get your threat list or threat tree from. In the first case, your question would be what the privacy theory or the privacy law identifies as threat to the user's (or data subject's) security or her privacy, and how it expects you to mitigate the threats identified. In the second case, you would ask the data processor which threats she identifies and wants you to mitigate. And in the third case, you would ask the user about her view on this issue.

A user-centered design process is addressing much more questions than just security and privacy questions. I would expect that you could embed a threat modelling process into a user-centered design process.

Oh, and this time i got you wrong ;-)

I totally agree to your statement, the modelling itsself doesnt necessarily differ and the modelling process should be embedded within a whole design process, naturally.

Which brings me back to my question: Do you know anyone who has done such an embedding? I see a certian potential in this, regarding user understanding and awareness of privacy implications of i.e. online/cloud services.

Unfortunately, I've only seen articles yet that either talk about general software design methodologies or about threat modelling, but not both. But that doesn't mean that there are none.