Who bears responsibility for IT security?

IT brings with it a raft of benefits wherever it is used—but it also carries risks. And it begs the question of who is able to produce a framework to ensure across-the-board security? A case for Prof. Dirk Heckmann, Chair of Public Law, Security Law and Internet Law at the University of Passau. Since 2006, he has also directed the university’s Institute of IT Security and Security Law.

Share article

Our world would be unimaginable without IT and its related services, whether online shops, e-government or a connected healthcare sector. In many respects, digitalised systems offer many advantages, but they also harbour risks related to data loss, manipulated invoices and crippled servers—a real dilemma. Scenarios such as smart cities include super-critical infrastructures. Controlling such infrastructures requires clear arrangements to help ensure the availability, integrity and confidentiality of data and IT systems. “Data security is one of the biggest challenges of our time, primarily as the foundation of a functioning digital society. While we’ll never achieve absolute security, we urgently need to invest more,” says Professor Dirk Heckmann. For him, this is more than just a question of technology—the range of tasks is much broader. How do we get companies to develop better software? Are quality seals more effective than dictates and fines? Who is responsible for defects and damage? Who is responsible for the protection of IT systems?


Professor Heckmann is first and foremost concerned with the question of who carries the overall responsibility for IT security— businesses, users, science or the government? A state-controlled IT, where government institutions issue mandatory regulations and verify compliance, would be the wrong approach, he believes. Nevertheless, he does consider it an important foundational step for policymakers to establish a legal framework that would provide a consistent level of security. He also maintains that society, i.e. users, cannot be made to carry overall responsibility, because they do not have the technological expertise to ensure adequate security. “Our educational system has largely failed in this area,” states the university professor, who then goes on to describe a possible solution: “Under the so-called ‘teacher concept’, we educators educate. We must raise awareness of IT security early on among young people from all corners of society who are good with IT.”

Self-interest and legal obligations.

What about companies? Business processes, from product development to communication and accounting, increasingly rely on IT. Technology makes many tasks easier, with systems increasing organisational efficiency, streamlining order processing and opening up new business opportunities—think digital transformation. However, risk potential is also increased by the same measure. For example, IT infrastructures no longer face only outside threats, such as viruses or targeted cyber attacks. Companies must also plan for loss of confidential data from within and for user errors made by employees. “For these reasons, IT system security is a core topic. It’s in each company’s own interest to tighten security as much as possible to protect its business processes and trade secrets,” explains Professor Heckmann. A company’s first line of defence for ensuring a secure environment is its in-house IT staff as well as specialist IT security departments. But they are effective only within the context of that company’s internal business, and when working with partners and customers. Self-regulation within individual companies is also insufficient to protect the broader overall system. However, Professor Heckmann sees hope in the fact that tech groups are developing secure software and new technologies to safeguard user data through encryption and anonymisation.

The strengths and weaknesses of innovations.

That leaves science as the last candidate standing to develop guidelines guaranteeing IT security. Over the past two years, the University of Passau has been working on possible guidelines for a new IT security law. These efforts are led by Professor Heckmann, together with Professor Thomas Riehm, Chair of German and European Private Law, Civil Procedure and Legal Theory, and Dr Anne Paschke, Director of the Research Centre for IT Law and Internet Policy, as well as Ninja Marnau, Senior Researcher at the Helmholtz Center for Information Security (CISPA) in Saarbrücken, Germany. The aim is to present these guidelines to relevant associations, companies and institutions for discussion based on real-world situations. “We are working on a plan for IT security regulation that will constitute and construct an IT security infrastructure. This requires a system of incentives that promises benefits for increasing IT security, for instance through tax breaks or better product placement on the market. I believe that IT security is only possible if science, government, business and society all contribute.” For Professor Heckmann, debates that weigh opportunity against risk may be the right place to start. “Whenever I get into my car, I know that I could get into an accident. But we’re all still mobile, having decided to accept this calculated risk. And I see this as a method we can apply in future scenarios such as self-driving cars.” For Professor Heckmann, the opportunities clearly have the upper hand. He supports his argument with an additional example: “If, with the help of cutting-edge technology, we develop new forms of therapy that save human lives, I feel the risk of data loss will obviously take a back seat. We must learn to trust the overall system. I myself am convinced that our society is able to weather the occasional setback, and that the benefits of technological progress clearly outweigh them.”

IT security ensures secure lives. I’m very excited to be able to conduct important, socially relevant research through our project on IT security regulation under the Germany Federal Office for Information Security. This project highlights the excellent research being conducted at the University of Passau and it fits perfectly with our area of specialisation, digitalisation.

Prof. Dr. Heckmann

In secure hands.


Thomas Thelen: When it was adopted in 2015, the German IT Security Act expanded the responsibilities of the Federal Office for Information Security (BSI). Can or should a government institution be responsible for guaranteeing comprehensive IT security for its country, companies and citizens? Greater control by the state has been demanded, especially after identity data was publicly disclosed in the so-called Collections #1-5.


Professor Dirk Heckmann: What you are asking about is a fundamental issue in IT security, namely how far does the responsibility of individual stakeholders such as the government, users, manufacturers, providers, etc. go when it comes to ensuring IT security? First of all, it must be understood that complex interdependencies make it impossible to hold one stakeholder fully responsible, except in rare cases. The only way we can get close to attaining a state of adequate IT security is through cooperation. In a sense, we can think of it as IT managed by joint owners. The government also carries its share of responsibility as it has the mandate to ensure security so that citizens can enjoy their freedoms. In principle, therefore, the government’s desire to increase efforts to meet this responsibility through the BSI should be viewed as positive, regardless of how effective the IT Security Act is in individual cases. That being said, it is important to remember that the government cannot guarantee protection everywhere, all the time. Appropriate measures and precautions must also be taken by IT users. The debates about digital education, however, show that users have not been equipped to do so. This is why the plans developed up until now to increase IT security can only ever be one mosaic tile.


Thomas Thelen: Germany’s current IT Security Act and the Europe’s General Data Protection Regulation uses the phrase “state of the art” quite often, and the recommendations of the IT Security Association Germany (TeleTrust) are key to understanding what this means exactly. Within the context of amending the IT Security Act, is it possible to describe dynamic technological developments in a reliable and legally sound manner?


Professor Dirk Heckmann: The broad reference to “state of the art” shows that regulation is, in many aspects, lagging behind innovation. There are several possible solutions, such as legally recognised standardisation and certification, which could be adapted more swiftly than laws or administrative orders. But even here, the innovation cycle is much too fast, meaning standards quickly become outdated. Referring to “state of the art” may provide less legal security, but it has a substantial advantage, namely that it doesn’t hinder innovation the same way that rigid standards or regulatory requirements do.


Thomas Thelen: You also sit on the Ethics Commission on Automated Driving, which is under the German Federal Ministry of Transport and Digital Infrastructure. There is much talk about the damage that could potentially be incurred by self-driving vehicles. Are there any arguments to counter this fear, for example the number of accidents that could be avoided by fast-reacting self-driving vehicles? And how can we pin down issues concerning liability when new types of technology are used?


Professor Dirk Heckmann: It is difficult to estimate these things before the new technology is actually used, especially since the development of self-driving vehicles still has a long way to go. Still, damage can never be entirely ruled out, so the goal must be to reduce risk. If automated driving systems end up becoming so reliable that we are able to lower the number of accidents, then using self-driving vehicles may even seem imperative. The Ethics Commission has commented extensively on this issue within its area of remit. Vehicles should also not be “upgraded” to legal entities in case damage does occur, as this would amount to unjustifiably outsourcing responsibility for the technology. In addition, not doing so preserves the current model, which includes strict liability for socially accepted risks and mandatory insurance. There is no reason to turn this system upside down.


Thomas Thelen: Your various roles also give you insight into critical infrastructures. A high percentage of those who are savvy about IT security put aside reserves for emergency situations of all kinds, including power outages. The German Federal Office of Civil Protection and Disaster Assistance has even published a checklist for this. Do you have a generator and food for ten days stored away in your basement?


Professor Dirk Heckmann: No generator, but I do have batteries for a torch, candles, wood for the fireplace and food for more than ten days—if you count chocolate and good wine.

Since 1996, Dirk Heckmann has been the Chair of Public Law, Security Law and Internet Law at the University of Passau. Since 2006, he has also directed the university’s Institute of IT Security and Security Law, where he heads up the For..Net research centre for IT law and internet policy. He joined the expert body of the German National IT Summit in 2007 and became a member of the Data Ethics Commission in 2018. Since 2014, Professor Heckmann has served as the Chairman of the German Association of Law and Informatics and since October 2018, he has directed the Bavarian Research Institute for Digital Transformation in Munich. On 1 October 2019, he will be switching to the Technical University of Munich’s new Chair of Law and Security of Digitisation, in an environment highly propitious to his continued interdisciplinary teaching and research. Professor Heckmann’s activities focus on those areas where IT and law intersect, in particular with respect to data protection law, IT security, e-government, privacy protection and e-health.


Picture: Prof. Dr. Dirk Heckmann auf der Smart Country Convention © Smart Country Convention

Thomas Thelen, whose background includes a degree in business administration, worked as a researcher for the Chair of Information Management at the University of Cologne until 2001, focusing on e-government. Until 2004, he served as a project manager for nrw medien GmbH, which operated under the government of the federal state of North Rhine-Westphalia. Since 2005, Mr Thelen has been advising companies and administrations on infrastructures and IT security, focusing since 2012 on ISO 27001 certification and the German Federal Office for Information Security’s baseline IT certification, known as IT-Grundschutz. He has headed up the IT security department of Bechtle’s IT system house in Bonn since 2018. Mr Thelen holds numerous certifications, including CISM, TISP, Cobit Practitioner, ITIL Practitioner, ISO 27001 Lead Auditor, V-Modell XT PRO and TOGAF.





Contact person.

Bechtle update editorial team





Get the best from the Bechtle update every two months directly into your mailbox. Click here to register:




Published on Oct 8, 2019.