IT Security & Data Privacy

Digital risks

IT security and data privacy

Risks for companies caused or intensified by digitization are manifold and of central importance to our Research Center Finance & Information Management and the Project Group Business & Information Systems Engineering of the Fraunhofer FIT. Our expertise team focuses on two main research areas: IT security as well as data  privacy. Digital risks include classic IT security topics and data privacy debates as well as systemic risks, e.g. regarding IT project portfolio management. In addition to questions of technical implementation, this also includes the consideration of the human risk factor. Furthermore, the protection of people’s informational self-determination, in particular the consideration of human decision-making behavior in dealing with IT systems and data, is a crucial element of our research and teaching endeavors.

Kompetenzen_Image_IT-Sicherheit & Datenschutz

IT Security

In the research area of IT security, the goal is to design protection and control measures for information and communication systems in and between companies and to evaluate them from an economically perspective. To achieve this goal, investments in IT security must be analyzed using a suitable combination of quantitative methods of financial risk management and non-monetary or qualitative approaches in order to enable a multidimensional evaluation and monitoring of measures to increase IT security. On this basis, the derivation of cost and benefit efficient portfolios of proactive and reactive IT security measures is supported, so that not only large companies but also in particular medium-sized companies can pursue economically reasonable IT security strategies despite limited budgets and resources. Decision support is provided in the form of tools to be developed that allow for a partially automated derivation and evaluation of alternative courses of action.
The research area focuses in particular on IT security in critical infrastructures (KRITIS) and the protection of companies from systemic risks caused by IT-based white-collar crime in complex and interdependent value-added networks. Thus, when managing IT security in KRITIS, companies are confronted with risk events that occur extremely rarely, but have an immense damage potential, since usually not only individual companies but also a large part of the economy and society are affected. When managing risks from IT-based white-collar crime, it is particularly important to consider the numerous and non-transparent dependencies that result from the ever greater integration of companies into global and increasingly virtualized value-added networks. In addition, the motivation of attackers on IT systems usually differs. While KRITIS, for example, can be a preferred target for terrorist attacks, in the area of IT-based white-collar crime, for example, the espionage of competitors is a possible motive for attacks.

Data Privacy

Our second major focus in the research area is the issue of data privacy. In an increasingly interconnected world and against the background of ever stricter legislation such as the EU Data Protection Basic Regulation, which came into force in 2018, the protection of data must be reconsidered. With the technological innovations of recent years, the volume of data that companies collect about their customers is increasing. Thus, the potential to generate success-relevant knowledge from data analyses is constantly increasing, especially since nowadays communication is communicated freely and without need for (mobile) devices, thus enabling constant passive data collection. However, current research results also show that customers often have great concerns about data protection and the use of their data. Customer needs should therefore be reconciled with the dimensions “legal requirements”, “technical feasibility” and “monetizability of data” in an economically reasonable way. In terms of a sustainable, value-oriented corporate strategy, the payments for data protection measures should be in an optimal ratio to the expected cash-effective losses due to data protection risks such as sales losses due to damage to reputation or fines. In addition to the perception of data privacy with a focus on risk minimization, data protection and respect for privacy can also be seen as an opportunity and in particular as a starting point for expanding classic value propositions. Data protection can be a driver for new business models by gaining trust and good reputation. You can find more detailed information on this topic in the following data privacy brochure.


Our activities

Contact person

Prof. Dr. Torsten Eymann

Chair of Business Administration and Information Systems

Prof. Dr. Björn Häckel

Professorship for Digital Value Networks

Prof. Dr. Henner Gimpel

Chair of Digital Management

Dr . Christoph

Dr. Robert