IT Security & Data Privacy
Digital risks
IT security and data privacy
Risks for companies caused or intensified by digitization are manifold and of central importance to our Research Center Finance & Information Management and the Project Group Business & Information Systems Engineering of the Fraunhofer FIT. Our expertise team focuses on two main research areas: IT security as well as data privacy. Digital risks include classic IT security topics and data privacy debates as well as systemic risks, e.g. regarding IT project portfolio management. In addition to questions of technical implementation, this also includes the consideration of the human risk factor. Furthermore, the protection of people’s informational self-determination, in particular the consideration of human decision-making behavior in dealing with IT systems and data, is a crucial element of our research and teaching endeavors.

IT Security
In the research area of IT security, the goal is to design protection and control measures for information and communication systems in and between companies and to evaluate them from an economically perspective. To achieve this goal, investments in IT security must be analyzed using a suitable combination of quantitative methods of financial risk management and non-monetary or qualitative approaches in order to enable a multidimensional evaluation and monitoring of measures to increase IT security. On this basis, the derivation of cost and benefit efficient portfolios of proactive and reactive IT security measures is supported, so that not only large companies but also in particular medium-sized companies can pursue economically reasonable IT security strategies despite limited budgets and resources. Decision support is provided in the form of tools to be developed that allow for a partially automated derivation and evaluation of alternative courses of action.
The research area focuses in particular on IT security in critical infrastructures (KRITIS) and the protection of companies from systemic risks caused by IT-based white-collar crime in complex and interdependent value-added networks. Thus, when managing IT security in KRITIS, companies are confronted with risk events that occur extremely rarely, but have an immense damage potential, since usually not only individual companies but also a large part of the economy and society are affected. When managing risks from IT-based white-collar crime, it is particularly important to consider the numerous and non-transparent dependencies that result from the ever greater integration of companies into global and increasingly virtualized value-added networks. In addition, the motivation of attackers on IT systems usually differs. While KRITIS, for example, can be a preferred target for terrorist attacks, in the area of IT-based white-collar crime, for example, the espionage of competitors is a possible motive for attacks.
Data Privacy
Our second major focus in the research area is the issue of data privacy. In an increasingly interconnected world and against the background of ever stricter legislation such as the EU Data Protection Basic Regulation, which came into force in 2018, the protection of data must be reconsidered. With the technological innovations of recent years, the volume of data that companies collect about their customers is increasing. Thus, the potential to generate success-relevant knowledge from data analyses is constantly increasing, especially since nowadays communication is communicated freely and without need for (mobile) devices, thus enabling constant passive data collection. However, current research results also show that customers often have great concerns about data protection and the use of their data. Customer needs should therefore be reconciled with the dimensions “legal requirements”, “technical feasibility” and “monetizability of data” in an economically reasonable way. In terms of a sustainable, value-oriented corporate strategy, the payments for data protection measures should be in an optimal ratio to the expected cash-effective losses due to data protection risks such as sales losses due to damage to reputation or fines. In addition to the perception of data privacy with a focus on risk minimization, data protection and respect for privacy can also be seen as an opportunity and in particular as a starting point for expanding classic value propositions. Data protection can be a driver for new business models by gaining trust and good reputation. You can find more detailed information on this topic in the following data privacy brochure.
Curious?
Our activities
The Research Center FIM deals with relevant real-world problems both in publicly funded research projects and in applied research projects with partners in industry. Together with our partners, we develop unique and novel solutions based on our insights into the current state of research, our practical experience and the interdisciplinary and enthusiastic nature of our team. Selected projects are:
- MAI ILQ (2018 – 2021):
Inline production and quality control during cutting and milling of metallic and CFRP production applications
Project’s objective: Data analytics and IoT-based value enhancement in metal-cutting processing by means of cross-company, sovereign data exchange without violation of know-how as a basis for AI-based Industry 4.0 production processes and inline quality control. - SIS 4.0 (2018 – 2022):
Secure Industry 4.0 in Swabia (funded by the Bavarian State Ministry of Economic Affairs, Regional Development and Energy)
Project’s objective: Research into innovative security solutions for the transformation to Industry 4.0, with special consideration of security requirements, to develop suitable solutions for the planning, implementation and optimization of digitized development, production and logistics processes and for the design of digital and data-based services and business models based on Industry 4.0 technologies. - Oberfranken 4.0 (2016 – 2020):
(funded by the European Union and the Oberfrankenstiftung)
Project’s objective: To support small and medium-sized enterprises, especially in Northern Bavaria, with a wide range of services in order to learn about future-oriented developments in the context of “Industry 4.0” and to use them for innovative solutions in their own production and logistics. An exemplary factory with ultra-modern Industry 4.0 demonstrators and applications on the campus of the University of Bayreuth is to promote the transfer of knowledge and technology between research and practice. One of the main goals is the development of new approaches to improve IT security management in the Industry 4.0 context, which should enable companies to guarantee IT security for new production processes, products and services in the Industry 4.0 area. - GESINE (2012 – 2015):
(funded by the Federal Ministry for Economic Affairs and Energy (BMWi))
Project’s objective: Development of a practicable security concept that provides companies with reliable information on compliance with laws and guidelines and the security of their electronic business processes. - eRep (2006 – 2009):
(funded by the European Commission)
Project’s objective: To determine what can be counted as relevant information about reputation. How can this information be represented, generated and distributed? And finally, how do agents deal with this information? In addition, the requirements for a supporting reputation system are to be analyzed from a technical point of view and the question is to be investigated to what extent existing systems meet these requirements. An assessment of the degree of automation that can be achieved and the implementation and simulation in a distributed system round off this interdisciplinary project.
Studies
The following studies, whitepapers and books were developed on the basis of research work and in cooperation with partners in industry:
Scientific publications
In this area of expertise, we have published the following research papers in academic journals and at international conferences:
Managing the Inevitable : A Maturity Model to Establish Incident Response Management Capabilitiesin: Computers & Security, 2023 | Bitzer, MichaelHäckel, BjörnLeuthe, DanielOtt, JoshuaStahl, BastianStrobel, Jacqueline | |
IT Availability Risks in Smart Factory Networks : Analyzing the Effects of IT Threats on Production Processes Using Petri Netsin: Information Systems Frontiers, 2022 | Berger, Stephanvan Dun, ChristopherHäckel, Björn | |
Security First, Security by Design, or Security Pragmatism : Strategic Roles of It Security in Digitalization Projectsin: Computers & Security, 2022 | Ollig, PhilippGuggenmos, FlorianStahl, Bastian | |
COVID-19 Infection Tracing with Mobile Apps : Acceptance and Privacy Concernsin: Proceedings of the 42nd International Conference on Information Systems (ICIS), Austin, USA, 2021 | Fortagne, Marius ArvedReith, RiccardoDiel, SörenBuck, ChristophLis, BettinaEymann, Torsten | |
Self-Sovereign Identity : Grundlagen, Anwendungen und Potenziale portabler digitaler Identitäten2021 | Strüker, JensUrbach, NilsGuggenberger, TobiasLautenschlager, JonathanRuhland, NicolasSchlatt, VincentSedlmeir, JohannesStoetzer, Jens-ChristianVölter, Fabiane | |
Auf dem Weg zum vertrauensvollen, unternehmensübergreifenden automatisierten Datenaustausch von Maschinen : Identifikation von schützenswertem Wissen im Zeitalter von Industrie 4.0in: HMD Praxis der Wirtschaftsinformatik, 2021 | Adler, LeonFrank, AndreasGimpel, HennerHeger, SebastianNüske, NiclasStarke, JoachimWaldmann, DanielaWöhl, Moritz | |
Disentangling the Concept of Information Security Properties : Enabling Effective Information Security Governancein: Proceedings of the 29th European Conference on Informations Systems (ECIS), Marrakech, Morocco, 2021 | Bitzer, MichaelBrinz, NicolasOllig, Philipp | |
Never Trust, Always Verify : A Multivocal Literature Review on Current Knowledge and Research Gaps of Zero-trustin: Computers & Security, 2021 | Buck, ChristophOlenberger, ChristianSchweizer, AndréVölter, FabianeEymann, Torsten | |
Pandemic Containment with Digital Measures : Acceptance and Privacy Aspects of Contact Tracing Appsin: Proceedings of the 29th European Conference on Information Systems (ECIS), Marrakech, Morocco, 2021 | Reith, RiccardoFortagne, Marius ArvedDiel, SörenBuck, ChristophLis, BettinaEymann, Torsten | |
Approaching Digital Transformation : Development of a Multi-Dimensional Maturity Modelin: Proceedings of the 28th European Conference on Information Systems (ECIS), Marrakech, Morocco, 2020 | Berger, StephanBitzer, MichaelHäckel, BjörnVoit, Christian | |
Estimating the Impact of IT Security Incidents in Digitized Production Environmentsin: Decision Support Systems, 2020 | Bürger, OlgaHäckel, BjörnKarnebogen, PhilipTöppel, Jannick | |
Integrating Privacy Concerns Into the Unified Theory of Acceptance and Use of Technology to Explain the Adoption of Fitness Trackersin: International Journal of Innovation and Technology Management, 2020 | Reith, RiccardoBuck, ChristophLis, BettinaEymann, Torsten | |
Tracking Fitness or Sickness : Combining Technology Acceptance and Privacy Research to Investigate the Actual Adoption of Fitness Trackersin: Proceedings of the 53rd Hawaii International Conference on System Sciences (HICSS), Honolulu, USA, 2020 | Reith, RiccardoBuck, ChristophLis, BettinaEymann, Torsten | |
Value of data meets IT security : assessing IT security risks in data-driven value chainsin: Electronic Markets, 2020 | Bitomsky, LauraBürger, OlgaHäckel, BjörnTöppel, Jannick | |
Assessing IT Availability Risks in Smart Factory Networksin: Business Research, 2019 | Häckel, BjörnHänsch, FlorianHertel, MichaelÜbelhör, Jochen | |
How Privacy Affects the Acceptance of Mobile Payment Solutionsin: Proceedings of the 27th European Conference on Information Systems (ECIS), Uppsala, Sweden, 2019 | Reith, RiccardoBuck, ChristophWalther, DennisLis, BettinaEymann, Torsten | |
An Experiment Series on App Information Privacy Concernsin: Proceedings of the 26th European Conference on Information Systems (ECIS), Portsmouth, UK, 2018 | Buck, ChristophBurster, SimoneEymann, Torsten | |
Privacy as a Part of the Preference Structure of Users App Buying Decisionin: Leimeister, Jan Marco: Proceedings der 13. Internationalen Tagung Wirtschaftsinformatik (WI 2017), St. Gallen, 2017 | Buck, ChristophStadler, FlorianEymann, TorstenSuckau, Kristin | |
Dealing with Privacy and Security Risks : App Consumers in Mobile Ecosystemsin: Dennis Kundisch ; Leena Suhl ; Lars Beckmann (Hrsg.): MKWI 2014 Multikonferenz
Wirtschaftsinformatik, Univ., Paderborn, 2014 | Buck, ChristophHorbel, ChrisEymann, Torsten | |
Das Privacy Paradox bei mobilen Applikationen : Kontextuale Besonderheiten mobiler Applikationenin: Informatik 2013 : Informatik angepasst an Mensch, Organisation und Umwelt. Workshop RiskKom – Risikokommunikation im Kontext von IT-Sicherheit. Proceedings, Köllen, Bonn, 2013 | Eymann, TorstenBuck, Christoph |