Existing Privacy Threat Analysis (PTA) approaches primarily focus on threat location and likelihood, neglecting the behavioral logic and intent of threat actors. Method: This paper proposes a Privacy Threat Modeling Framework (PTMF) for IoT systems, innovatively integrating the MITRE ATT&CK tactical framework with the LINDDUN privacy threat modeling methodology, and introducing an expert-driven threat propagation path mapping mechanism to systematically characterize behavior sequences and privacy violation intents of threat agents—including malicious applications, third-party services, and insider personnel. Contribution/Results: Empirical evaluation across 12 representative IoT privacy threats identifies three critical threat agent categories and their core action paths in scenarios such as user identity leakage. PTMF significantly enhances the interpretability of privacy risk assessments and the precision of countermeasures, providing both theoretical foundations and practical guidance for proactive privacy protection mechanisms.

Previous studies on PTA have focused on analyzing privacy threats based on the potential areas of occurrence and their likelihood of occurrence. However, an in-depth understanding of the threat actors involved, their actions, and the intentions that result in privacy threats is essential. In this paper, we present a novel Privacy Threat Model Framework (PTMF) that analyzes privacy threats through different phases. The PTMF development is motivated through the selected tactics from the MITRE ATT&CK framework and techniques from the LINDDUN privacy threat model, making PTMF a privacy-centered framework. The proposed PTMF can be employed in various ways, including analyzing the activities of threat actors during privacy threats and assessing privacy risks in IoT systems, among others. In this paper, we conducted a user study on 12 privacy threats associated with IoT by developing a questionnaire based on PTMF and recruited experts from both industry and academia in the fields of security and privacy to gather their opinions. The collected data were analyzed and mapped to identify the threat actors involved in the identification of IoT users (IU) and the remaining 11 privacy threats. Our observation revealed the top three threat actors and the critical paths they used during the IU privacy threat, as well as the remaining 11 privacy threats. This study could provide a solid foundation for understanding how and where privacy measures can be proactively and effectively deployed in IoT systems to mitigate privacy threats based on the activities and intentions of threat actors within these systems.