Creation of a distinct culture for the overall system “Compliance, IT security and Data protection” in municipalities in Germany

Abstract

Public administrations in Germany today are increasingly exposed to attacks from the digital space. Threats to their IT systems or organizations in the physical world require security strategies. The Objectives of the work are the conviction of government leaders to enable themselves to control the implementation of data protection and IT security in their organizations with priority and resources. This also includes compliance as part ofinformation security management systems in order to better anchor compliance in the overall organization, especially at the operational level. The Prior work shows that only a few protective measures are implemented in municipalities in Germany, although models for IT-Governance are available. One reason could be the scope and abstractness of the management systems, which lead to avoiding the introduction phase. To close the gap between awareness of the relevance of the topic and the actual taking action of measures, clear vision of practical implementation must be conveyed in order to protect the organization sufficiently and permanently. The Approach is based on a combination of technology, strategy and people. A bipolar approach is to be chosen in this thesis: Government leaders are to be simulated by a game-based learning approach knowledge around the topics of IT security, data protection and compliance through serious games scenarios. At the operational level of the security officers, building blocks such as "Building information security", "Compliance processes and applications" and "Risk management" are to be developed collaboratively as predefined building blocks and meaningful process models are to be visualized at a uniform level of abstraction. The first Results lead to the realization that technical and organizational measures for institutional protection can be developed independently, so that no external consultants are required. Authority management can increasingly assume their responsibility in this area as soon as a basic understanding of sufficient resources has been established and their own roles in the overall system of compliance, IT security and data protection are assigned. The Implications include enabling government leaders to initiate and manage compliance in their organizations. The operationally responsible employees must be enabled to implement compliance in practice in cooperation with experts from thematic departments. In the long term, this is intended to create a distinct compliance culture in an organization. The Value of the work lies in getting compliance directly linked to the working level in order to anchor it directly in the organization. Government leaders are tasked with building a security- and risk- based culture. The thesis focuses in particular on adapting the mindset of employees and operational managers with regard to security risks and their consequences. Prioritization in preventive measures must therefore be shown in order to take up decisions on activities against cyber attacks and other incidents.