Illustration by Lars Magnusson: Complexity of data flows, risking security. Information logistics as it is perceived vis-à-vis real world from some 15 organizations.
Left part: By leadership perceived data flow layout.
Right part: A typical real-world data flow layout.
Anita Mirijamdotter, Patrik Elm and Sarfraz Iqbal, Linnaeus University
Linnaeus University and the national graduate school Management and IT
Informatics (Department of Informatics, Faculty of Technology)
More about the project
Today, everything is vulnerable to data crimes. We have all the technology needed, but use it wrong or not at all. If an organization says it is secure, it is probably already hacked. We need more modern and enterprise covering governance methods to meet the rapid growth of IT crimes. We need to think smart, using mitigating system methods that place technology at the right place, in the right time, and in the right context.
Today, ICT governance is once more primarily driven by divisional and sectoral business managers in need of faster adaptation of new IT functions than are available from the central ICT organization. Managers often contract ad hoc specialized cloud services outside an often stagnant, legacy-bound, in-house ICT strategy.
Add to this the 25 May 2018 activation of the upgraded EU Privacy Regulation, the General Data Protection Regulation (GDPR). A regulation limiting the right to collect and process personal data, giving the data subject all rights to his/her data sets, independent of by whom and where this data is collected. Laws force the data collecting and processing organizations to have total control over any such data processed.
This includes a detailed understanding of data flows – including who did what, where and when, and under whose authorization – and of how data is transported and stored. Data/information flow maps are required as part of the mandatory system documentation for all systems, including those outsourced as cloud services. As a result, any organizational change will, without more modern governance models, require costly and time-consuming development efforts, particularly for adapting legacy to today’s situation.
For many organizations, this also poses an increased risk, since data is interconnected and transformed at all levels today. Since 2010, an increased IT criminality has siphoned off some 7 billion personal data records, most of them complete credit card data. US credit review firm Equifax lost 135 million records in 2016–17, which has put the company at the brink of bankruptcy. And there are more examples. Ponemon Institute has declared that over 87 % of all organizations reviewed had been breached. FBI says “If not yet hacked, you soon will”. As several surveys have shown, the majority of these breaches could have been fended off by using systematic governance best practice methods. The question is, why don’t they?
This research project consists of two parts. One ongoing licentiate thesis describing the issues with current governance practices, Current Enterprise IT Governance Effects on Information Security, and a future doctoral thesis, Secure Data Flow Oriented Multi-Vendor ICT Governance Model. Both use a systems thinking foundation, primarily Stafford Beer’s Viable System Model and new theories about information logistics, as presented around 2010 by researchers like Sandkuhl and Haftor & Kajtazi. The reason for this focus is that all systems today talk directly or indirectly to all other systems, often in ways not understood by leadership, while increasing security issues exponentially. Internet of Things and Artificial Intelligence systems are two areas estimated to increase data flow by some 5,000 % from 2018 to 2024. Not having a systemic approach will risk all this data.
This project is part of the research in the Linnaeus University Systems Community reseach group.