IT-Security and Data privacy
IT-Security and Data privacy
Risks for companies caused or intensified by digitization are manifold and of central importance to our Research Center Finance & Information Management and the Project Group Business & Information Systems Engineering of the Fraunhofer FIT. The research area has two main foci: IT Securityas well as data protection and data privacy. Digital risks include classic IT security topics and data privacy debates as well as systemic risks, e.g. regarding IT project portfolio management. In addition to questions of technical implementation, this also includes the consideration of the human risk factor. Furthermore, the protection of people’s informational self-determination, in particular the consideration of human decision-making behavior in dealing with IT systems and data, is a crucial element of our research and teaching endeavors.
IT-Security and Data privacy
In the research area IT security, we pursue the goal of designing and economically evaluating protection and control measures for information and communication systems in and between companies. IT security investments have to be analyzed by combining quantitative methods of financial risk management with non-monetary and qualitative approaches in order to enable a multidimensional evaluation and management of measures to improve IT security. On this basis, we support the derivation of cost- and benefit-efficient portfolios of proactive and reactive IT security measures. We aim to enable large as well as small and medium sized companies to pursue economically sensible IT security strategies while considering limited budgets and resources. Thereby, we design decision support tools which enable semi-automated derivation and evaluation of IT security measures. A special focus of the research area is on IT security risks in critical infrastructures as well as the protection against systemic risks of IT-driven white-collar crime in complex and interdependent networks. Generally, such events occur very rarely. However, the loss potential is immense as usually not only the companies themselves are affected, but large parts of the economy and society as well. When managing the risks of IT-driven white-collar crime, particular attention must be paid to the numerous and obscure dependency structures that result from the increasing integration of companies in global and increasingly virtualized value creation networks.Furthermore, the motivation of the attackers on the IT systems usually differs. Critical infrastructures can be a preferred target for terrorist attacks, for example. Regarding IT-driven white-collar crime, the espionage of competitors may be a motive for attacks.
The second major area of research is data protection and data privacy. In an increasingly interconnected world and in the face of increasing legal requirements like the new European GDPR, we need to consider data protection and data privacy a new light. With the technological innovations of the recent years, the volume of customer data that companies collect and possess has increased. At the same time, the potential to generate business-relevant insights from data analyses is constantly growing, particularly as mobile users communicate freely and thus enable constant passive data collection. Current research shows, however, that customers often have great concerns regarding data protection and data privacy. Therefore, we discuss customer needs together with the three dimensions “legal requirements”, “technical feasibility” and “monetizability of data” in order to achieve an economically sound concordance. In a sustainable and value-based business strategy, data protection and data privacy investments should therefore be in an optimal relation to the risks (e.g., a revenue collapse through reputational damages or fines). Furthermore, beyond a risk minimization perspective on data protection and data privacy, they can be seen as enablers of business opportunities and drivers for new business models through increased reputation and trust. Further detailed information on this topic can be found in the following data protection and data privacy brochure.
Research Projects with public funding:
- SIS 4.0(2018-2022):
The aim of the research project “Safe Industry 4.0 in Swabia” (SIS 4.0) is the development of innovative security solutions for the transformation towards Industry 4.0. With special consideration of security requirements, we currently develop suitable solutions for the planning, implementation, and optimization of digitalized development, production, and logistic processes as well as for the design of digital and databased services and business models based on IoT technologies.
(funded by Bavarian State Ministry of Economic Affairs, Regional Development and Energy)
- Oberfranken 4.0 (2016-2020):
The aim of the research project Oberfranken 4.0 is to support small and medium-sized enterprises, especially in the North Bavarian region, with a broad spectrum of services to become familiar with trending developments in the area of “Industry 4.0” and to use them for innovative solutions in their own production and logistics. Furthermore, an exemplary factory with state-of-the-art industry 4.0 demonstrators and applications on the campus of the University of Bayreuth aims to promote the transfer of knowledge and technology between research and practice. Thereby, one of the main goals is the development of new approaches for the improvement of IT security management in the industry 4.0 context. These approaches are meant to enable companies to ensure IT security for new production processes, products and services in the area of industry 4.0.
(funded by European Union and Oberfrankenstiftung)
- GESINE (2012-2015):
The focus of the GESINE project was to develop a practical security concept that provides companies with reliable information on compliance with laws and guidelines and the security of their electronic business processes.
(funded by the Federal Ministry of Economics and Energy (BMWi))
- eRep (2006-2009):
The first aim of this project was to find out what can be considered as relevant information regarding reputation. How can this information be represented, generated and distributed? And how do agents deal with this information? In addition, the requirements for an auxiliary reputation system were analyzed from a technical point of view and it was investigated to what extent existing systems fulfill these requirements. An assessment of the achievable degree of automation and the implementation and simulation in a distributed system rounded off this interdisciplinary project.
(funded by the European Commission)