After studying mathematics with a minor in computer science, Petra Haferkorn worked at the German Federal Financial Supervisory Authority (BaFin) and led international on-site audits of the risk management of credit institutions, insurance companies and other financial service providers. In recent years, she has conducted IT audits focussing on the following areas: IT governance, information security management and information risk management systems.

Her auditing work presented her with challenges that she could not find satisfactory strategies for overcoming in traditional auditing and management theory. She therefore adopted concepts from recent sociological systems theory and its applications in systemic organisational consulting and applied them to her audit discussions and to the analysis of the functioning of IT security management systems.

Systemic approaches, for example, distinguish living from dead systems, which is very helpful when assessing the functioning of the socio-technical systems ‘information security management’ and ‘information risk management’:

While information technology adheres to predetermined rules and is mathematically determined, the social interactions of its users, programmers and other employees of an organisation cannot be precisely predetermined. For example, the addition of numbers leads to an unambiguous result, but the success of information security training for an organisation's employees remains uncertain.

While the laws of nature remain valid in purely technical systems, the (information) risks of organisations are constantly changing. For example, cables in a technical system will always burn out if the electrical voltage is too high, and corresponding experiments can be repeated by anyone at any time. In contrast, the behaviour of employees varies, for example, sometimes they choose a secure password and other times they do not consider it necessary.

Recent sociological systems theory therefore doubts that social systems can be controlled in the same way as machines; the reaction of living systems to an external stimulus cannot be precisely predicted. This postulate calls into question the traditional view of how (IT) audits and IT security management systems work and creates a new understanding of terms such as IT risk and information security.

However, the aim of systems theory is not simply to confuse! Nor does it want to question the purpose of audit teams or managers. Quite the opposite! The advantages of this theoretical approach are of great practical relevance: Only a theory that mentally denies the controllability of living systems makes it possible to show ways and means of ‘leading’ social systems.

This applies both to audit teams in relation to (IT) audit processes and to other information security teams in relation to (IT) management processes. For example, the complex question of how to maintain an organisation's awareness of its information risks cannot be answered by (overly) simple solutions. (Like, for example, the overly simplistic answer that the employees take an information security training course and then they will all know forever what they have to do for the organisation's information security).

Systems theory shows that there are no context-free, universally valid answers to the complex challenges of IT security management and prevents us from giving overly simple answers. If we follow the findings of agile and systemic approaches, audits and organisations learn how to deal with (ever new) risks through a step-by-step, circular approach. Uncertainties and risks are dealt with by the social systems through learning and decision-making processes.

Accordingly, an organisation will repeatedly sound out what the current labour market for IT specialists looks like (learning process) and then consider whether to hire or train (decision-making process), for example. Each of these decisions is analysed in terms of its impact on other employees, suppliers and customers and the decision taken is communicated appropriately. If the organisation later realises that the labour market or the wishes of the employees have changed, it will revisit this decision.

Generally speaking, the learning process in the factual dimension deliberately explores the organisation's lack of knowledge about IT security management. The decision-making process determines how to proceed on the basis of what has been learnt so far. At the same time, in the social dimension, the organisation keeps an eye on those affected and critics of current developments in order to include the perspectives of all interest groups and remain open to discussion with them. Only a dynamic information security management system is able to maintain a sufficient variety of actions in order to be able to react to unforeseen changes.