Threat Modeling with LEGO SERIOUS PLAY: Building your Digital Identity threat

At the World Wide Web Consortium (W3C), we know that security, privacy, and human rights are interconnected. This interconnection is especially true for digital identity technologies. As these technologies change, so must the way we understand and address threats.

In recent years, the W3C community has been exploring different ways to address technical threats and harm to individuals, to ensure that new standards, including those for digital identity, protect not only systems but also people, through Threat Modeling.

On October 14, 2025, this commitment took shape with a one-of-a-kind workshop, organized in collaboration with Threat Modeling Connect, entitled “Threat Modeling with LEGO© SERIOUS PLAY© - Build Your Digital Identity Threat”.

The workshop combined the threat modeling process with a creative and practical methodology developed by W3C to help participants visualize damage, transform it into threats, and build connections between different dimensions in the digital identity landscape.

From harms to threats

Traditional threat modeling frameworks rely on different threat categorization frameworks, such as STRIDE and LINDDUN, which W3C is already using in identifying security and privacy threats, respectively. However, the social and ethical implications of the web require a broader view. How to recognize threats to humanity or social impact?

W3C has begun to work on a new level of analysis of Digital Identities based on a mixed approach of Threat Modeling and Harms Modeling. Inspired by Microsoft's early work on responsible innovation and expanded through academic research, this approach focuses on identifying how different stakeholders (e.g., individuals or communities) might be negatively affected by a technology, and then tracing the technical causes of those impact - the threats - blending the harm modeling with threat modeling.

High-level threats are particularly important in the field of digital identity, where credentials issued by governments - such as national ID cards, passports, and education certificates - can become tools of inclusion or exclusion. As governments and organizations adopt verifiable credentials and digital wallets, the associated threats are no longer limited to technical failures but also extend to profiling, discrimination, and human rights violations.

Why LEGO© SERIOUS PLAY©?

To bridge this gap, the workshop used LEGO© SERIOUS PLAY© (LSP), a facilitation method originally developed by the LEGO Group in the 1990s for strategic thinking and problem solving. LSP is based on the concept of “manual knowledge”, the idea that building physical models helps unlock abstract understanding and encourages inclusive participation.

In the session, each participant received a set of LEGO bricks and was given a challenge: “Build a threat from harm”. The tactile and metaphorical process helped to transform complex and often abstract ethical and social considerations into tangible representations that participants could literally hold in their hands, modify, and connect.

As Simone explained during the session - as he’s a Certified facilitator of LEGO® SERIOUS PLAY® method and materials by The Association of Master Trainers - by externalizing thought through play, we allow everyone to see —and question— the invisible assumptions behind technological design.

Building threats

The workshop followed the classic four-phase rhythm of LSP - Listen, Build, Share, Reflect - with challenges that followed the structure of a threat modeling process, generating threats from the harms. As the Threat Modeling Community Group and Security Interest Group are categorizing the various categories of harms and threats, they found specific harms related to Digital Identities in Enhancing National Digital Identity Systems by Corti et al. (2025). These included issues such as discrimination based on personal characteristics, illegal use of data beyond consent, exposure to domestic abuse, persecution, and economic exclusion through increased transaction costs.

From individual models to landscapes: analyzing connections

In the second phase, participants were asked to arrange the models spatially so that the connections between damage and threats formed a coherent story, a “super-story” of the collective threat landscape.

This interconnected step showed how individual harms are rarely isolated. For example, misuse of data can lead to profiling, which in turn can lead to discriminatory denial of services. Similarly, exposure to domestic abuse was linked to inadequate wallet security controls, demonstrating that technical and social security measures are inseparable.

Lessons learned

In the final retrospective, the traditional LEGO® SERIOUS PLAY® “duck” exercise, participants rebuilt the symbolic duck they had created at the beginning of the session, now reflecting what they had learned.

Insights emerged from participants:

• "Money lost/spent leading to decreased standards of living"
• "I learned to connect ideas and concepts in different ways and forms"
• "The most unexpected things are strongly connected"

These reflections helped to understand that threat modeling based on human experience expands our imagination. Transforming a security or privacy analysis from a checklist exercise to a collaborative exploration of possible futures, both positive and negative.

Beyond the workshop

The workshop demonstrated that integrating LSP into W3C's security, privacy, and human rights work is not only feasible but also transformative.

Participants were able to visualize complex and abstract harms and threats, and the method helps uncover assumptions that traditional textual analysis often overlooks.

For the W3C community, this experiment is in line with ongoing initiatives by the Security Interest Group, the Privacy Working Group, and the Threat Modeling Community Group.

The exercise also reinforced W3C's broader commitment to open and participatory processes. Just as web standards are born of collaboration and transparency, so too should our understanding of the threats be.

Conclusion

The Threat Modeling with LEGO® SERIOUS PLAY® workshop, which focused on digital identity, was a step toward the integration of human-centered thinking in the technical standardization process. Participants didn't just analyze threats; they built, connected, and understood them together.

As the W3C community continues to define standards for the next generation of identity technologies, this exercise reminds us that technology has an important social impact.

W3C will continue to refine this approach - focusing on the user and humans - within its Threat Modeling Community Group to invite others to join the conversation and, perhaps, build their own threats.