IT Security & Data Privacy

Digital risks

IT security and data privacy

Risks for companies caused or intensified by digitization are manifold and of central importance to our Research Center Finance & Information Management and the Project Group Business & Information Systems Engineering of the Fraunhofer FIT. Our expertise team focuses on two main research areas: IT security as well as data  privacy. Digital risks include classic IT security topics and data privacy debates as well as systemic risks, e.g. regarding IT project portfolio management. In addition to questions of technical implementation, this also includes the consideration of the human risk factor. Furthermore, the protection of people’s informational self-determination, in particular the consideration of human decision-making behavior in dealing with IT systems and data, is a crucial element of our research and teaching endeavors.

Kompetenzen_Image_IT-Sicherheit & Datenschutz

IT Security

In the research area of IT security, the goal is to design protection and control measures for information and communication systems in and between companies and to evaluate them from an economically perspective. To achieve this goal, investments in IT security must be analyzed using a suitable combination of quantitative methods of financial risk management and non-monetary or qualitative approaches in order to enable a multidimensional evaluation and monitoring of measures to increase IT security. On this basis, the derivation of cost and benefit efficient portfolios of proactive and reactive IT security measures is supported, so that not only large companies but also in particular medium-sized companies can pursue economically reasonable IT security strategies despite limited budgets and resources. Decision support is provided in the form of tools to be developed that allow for a partially automated derivation and evaluation of alternative courses of action.
The research area focuses in particular on IT security in critical infrastructures (KRITIS) and the protection of companies from systemic risks caused by IT-based white-collar crime in complex and interdependent value-added networks. Thus, when managing IT security in KRITIS, companies are confronted with risk events that occur extremely rarely, but have an immense damage potential, since usually not only individual companies but also a large part of the economy and society are affected. When managing risks from IT-based white-collar crime, it is particularly important to consider the numerous and non-transparent dependencies that result from the ever greater integration of companies into global and increasingly virtualized value-added networks. In addition, the motivation of attackers on IT systems usually differs. While KRITIS, for example, can be a preferred target for terrorist attacks, in the area of IT-based white-collar crime, for example, the espionage of competitors is a possible motive for attacks.

Data Privacy

Our second major focus in the research area is the issue of data privacy. In an increasingly interconnected world and against the background of ever stricter legislation such as the EU Data Protection Basic Regulation, which came into force in 2018, the protection of data must be reconsidered. With the technological innovations of recent years, the volume of data that companies collect about their customers is increasing. Thus, the potential to generate success-relevant knowledge from data analyses is constantly increasing, especially since nowadays communication is communicated freely and without need for (mobile) devices, thus enabling constant passive data collection. However, current research results also show that customers often have great concerns about data protection and the use of their data. Customer needs should therefore be reconciled with the dimensions “legal requirements”, “technical feasibility” and “monetizability of data” in an economically reasonable way. In terms of a sustainable, value-oriented corporate strategy, the payments for data protection measures should be in an optimal ratio to the expected cash-effective losses due to data protection risks such as sales losses due to damage to reputation or fines. In addition to the perception of data privacy with a focus on risk minimization, data protection and respect for privacy can also be seen as an opportunity and in particular as a starting point for expanding classic value propositions. Data protection can be a driver for new business models by gaining trust and good reputation. You can find more detailed information on this topic in the following data privacy brochure.


Our activities

The Research Center FIM deals with relevant real-world problems both in publicly funded research projects and in applied research projects with partners in industry. Together with our partners, we develop unique and novel solutions based on our insights into the current state of research, our practical experience and the interdisciplinary and enthusiastic nature of our team. Selected projects are:

  • MAI ILQ (2018 – 2021):
    Inline production and quality control during cutting and milling of metallic and CFRP production applications
    Project’s objective: Data analytics and IoT-based value enhancement in metal-cutting processing by means of cross-company, sovereign data exchange without violation of know-how as a basis for AI-based Industry 4.0 production processes and inline quality control.
  • SIS 4.0 (2018 – 2022):
    Secure Industry 4.0 in Swabia (funded by the Bavarian State Ministry of Economic Affairs, Regional Development and Energy)
    Project’s objective: Research into innovative security solutions for the transformation to Industry 4.0, with special consideration of security requirements, to develop suitable solutions for the planning, implementation and optimization of digitized development, production and logistics processes and for the design of digital and data-based services and business models based on Industry 4.0 technologies.
  • Oberfranken 4.0 (2016 – 2020):
    (funded by the European Union and the Oberfrankenstiftung)
    Project’s objective: To support small and medium-sized enterprises, especially in Northern Bavaria, with a wide range of services in order to learn about future-oriented developments in the context of “Industry 4.0” and to use them for innovative solutions in their own production and logistics. An exemplary factory with ultra-modern Industry 4.0 demonstrators and applications on the campus of the University of Bayreuth is to promote the transfer of knowledge and technology between research and practice. One of the main goals is the development of new approaches to improve IT security management in the Industry 4.0 context, which should enable companies to guarantee IT security for new production processes, products and services in the Industry 4.0 area.
  • GESINE (2012 – 2015):
    (funded by the Federal Ministry for Economic Affairs and Energy (BMWi))
    Project’s objective: Development of a practicable security concept that provides companies with reliable information on compliance with laws and guidelines and the security of their electronic business processes.
  • eRep (2006 – 2009):
    (funded by the European Commission)
    Project’s objective: To determine what can be counted as relevant information about reputation. How can this information be represented, generated and distributed? And finally, how do agents deal with this information? In addition, the requirements for a supporting reputation system are to be analyzed from a technical point of view and the question is to be investigated to what extent existing systems meet these requirements. An assessment of the degree of automation that can be achieved and the implementation and simulation in a distributed system round off this interdisciplinary project.


The following studies, whitepapers and books were developed on the basis of research work and in cooperation with partners in industry:

Data privacy: Necessary bureaucracy or competitive advantage in dealing with digital customer data?

Scientific publications

In this area of expertise, we have published the following research papers in academic journals and at international conferences:

Approaching Digital Transformation : Development of a Multi-Dimensional Maturity Model
in: Proceedings of the 28th European Conference on Information Systems (ECIS), s.l., 2020
Berger, Stephan
Bitzer, Michael
Häckel, Björn
Voit, Christian
Estimating the Impact of IT Security Incidents in Digitized Production Environments
in: Decision Support Systems, 2020
Bürger, Olga
Häckel, Björn
Karnebogen, Philip
Töppel, Jannick
Value of data meets IT security : assessing IT security risks in data-driven value chains
in: Electronic Markets, 2020
Bitomsky, Laura
Bürger, Olga
Häckel, Björn
Töppel, Jannick
Assessing IT Availability Risks in Smart Factory Networks
in: Business Research, 2019
Häckel, Björn
Hänsch, Florian
Hertel, Michael
Übelhör, Jochen
How Privacy Affects the Acceptance of Mobile Payment Solutions
presented at: 27th European Conference on Information Systems (ECIS), Stockholm and Uppsala, Sweden, 2019
Reith, Riccardo
Buck, Christoph
Walther, Dennis
Lis, Bettina
Eymann, Torsten
An Experiment Series on App Information Privacy Concerns
presented at: 26th European Conference on Information Systems (ECIS), Portsmouth, UK, 2018
Buck, Christoph
Burster, Simone
Eymann, Torsten
Privacy as a Part of the Preference Structure of Users App Buying Decision
in: Leimeister, Jan Marco: Proceedings der 13. Internationalen Tagung Wirtschaftsinformatik (WI 2017), St. Gallen, 2017
Buck, Christoph
Stadler, Florian
Eymann, Torsten
Suckau, Kristin
Dealing with Privacy and Security Risks : App Consumers in Mobile Ecosystems
in: Dennis Kundisch ; Leena Suhl ; Lars Beckmann (Hrsg.): MKWI 2014 Multikonferenz Wirtschaftsinformatik, Univ., Paderborn, 2014
Buck, Christoph
Horbel, Chris
Eymann, Torsten
Das Privacy Paradox bei mobilen Applikationen : Kontextuale Besonderheiten mobiler Applikationen
in: Informatik 2013 : Informatik angepasst an Mensch, Organisation und Umwelt. Workshop RiskKom – Risikokommunikation im Kontext von IT-Sicherheit. Proceedings, Köllen, Bonn, 2013
Eymann, Torsten
Buck, Christoph

University of Augsburg

Further information can be found under Education in Augsburg.

University of Bayreuth

  • IT Security (Lecture, Master)

Further information can be found here.

Contact person

Prof. Dr. Torsten Eymann

Chair of Business Administration VII - Information Systems

Prof. Dr. Björn Häckel

Professorship for Digital Value Networks

Prof. Dr. Henner Gimpel

Professorship for Industrial Engineering and Management

Dr . Christoph

Dr. Robert